[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Client key exchange

  • Subject: Re: [Openvpn-users] Client key exchange
  • From: chosner@xxxxxxxxxxxxxxxxx
  • Date: Fri, 7 Oct 2005 23:28:27 -0400 (EDT)

Well, since I wrote that, I might as well answer this.

You have two different things you are doing.  First is authentication.  
You want to prove that the entity on the other end of the tunnel is who 
you think it is.  You use your client private key (and your server private 
key) to make sure the client and the server are both who they claim to be.  
This is the purpose of the client private key, authenticiation.

Second is key agreement.  After you're comfortable that you're speaking 
with the correct entity, you want to embark on the key agreement or key 
exchange steps.  This is where the master secret is created and the key 
block built.  But you don't do this step until you've used the client 
private key to validate identity.  Once identity is verified, this key 
block is chopped up to create the symmetric keys and the hmac send and 
recieve keys.

I can build you a graphic description of this if it would be helpful.  
Please contact me off list as we'll be straying from OpenVPN specific and 
moving towards general cryptography.


On Mon, 19 Sep 2005, 
[iso-8859-2] Szüts Péter  wrote:

> Hello !
> I've posted this to the openvpn-devel list, but they sent me here. :) So:
> I see I have to be more specific, otherwise you underestimate me. :)) So here's the big deal:
> I've found OpenVPN client key exchange in http://www.sans.org/rr/whitepapers/vpns/1459.php It says in message 3: "The client also generates and sends what is called a pre-master secret. The pre-master secret is the last parameter in the key derivation/exchange function and is encrypted with the server's public key." 
> In the end we have the same pre-master secret on both sides and the client and server could generate the same master secret with a well-known mechanism. It's all clear, but the OpenVPN howto says I have to declare in the client configuration file where to find the client's private key. If OpenVPN uses the key derivation method mentioned above, why do we need the client's private key in the config file ? Where are we using it ? By accident, don't you have a flow chart or message exchange figure about this ? :)
> Otherwise I'm a student from Budapest Technical and Economical University, faculty of electrical engineering, dealing with electrical services and security. We're working on a project, that's why we need this information. Thanks in advance:
> Peter
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Openvpn-users mailing list