Channel Binding Key based on TLS Keying Material Exporters [RFC 5705 ] allow additional keying material to be derived from existing TLS channel. This exported keying material can then be used for a variety of purposes.
TLS allows client and server to establish keying material for use in the
upper layers between the TLS end-points. Channel Bindings is straitforward
and well-defined mechanism how to authenticate other layers.
Following two attributes were added primary for the possible plugins
extensions.
Attributes
tls_channel_id: Identifies TLS Sessions across (re)negotiation
tls_binding_key: Secret crypto derivate based on Keying Material Exporters
Configuration
TLS Binding Key is generated when *.ovpn contains following for each
TLS negotiation.
example.ovpn:
{
# Channel Binding based on TLS Keying Material Exporter [RFC 5705]
#
# Note that exporter labels have the potential to collide with existing PRF
# labels. In order to prevent this, labels SHOULD begin with "EXPORTER".
# This is not a MUST because there are existing uses that have labels
which do
# not begin with this prefix.
keying-material-exporter-label "EXPORTER_OPENVPN"
# Export len bytes of keying material (min. 20)
keying-material-exporter-length 20
}
Changes
This patch stays on top of crypto layer and that's reason why it will work
for
both crypto backends (openssl/polarssl).
TLS_FINAL Plugin was called in key_method_2_read() before server_random was
generated for the TLS server end-point and that's the reason why it's
called at
2 places now. key_method_2_read() for server and key_method_2_write() for
client.
Use Cases:
1) Authentication of upper layers (like Kerberos etc)
2) Authentication of VPN's TLS channel using QRCODE and device such as
smartphones.
(Instead of user/pass dialog TLS VPN client could show for example QRCODE
based on keying material derivate)
3) Authentication of Binding Key in confidental side-channel can be also used
and avoid/detect MITM (MITM provides his public key and that's reason why
authentication of binding key will fail)
openvpn-binding-key.patch
Description: Binary data
