[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Secret Key Question

  • Subject: Re: [Openvpn-users] Secret Key Question
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Tue, 7 Sep 2004 09:56:14 -0600 (MDT)

On Sat, 4 Sep 2004, Doug Lytle wrote:

> Anthony,
> I use a script to re-key every morning, copy the new keys across the 
> tunnel and restart.

You are sort of doing manually what SSL/TLS will do automatically.  For 
example if you ran OpenVPN in TLS mode and added --reneg-sec 86400, you 
would get a daily rekeying.

The only problem with your approach is that if you copy the new key over 
the old connection, i.e. if the new key is encrypted with the old key then 
sent to the remote peer, you lose "Perfect Forward Secrecy".  In other 
words, someone could conceivably derive your current key from your old key 
if they had recorded your prior encrypted communications.

If you use SSL/TLS mode or ssh to copy the keys, then you would have 
perfect forward secrecy.


Openvpn-users mailing list