TLS Keying Material Exporters [RFC 5705 ] allow additional keying material to be derived from existing TLS channel. This exported keying material can then be used for a variety of purposes.
TLS allows client and server to establish keying material for use in the
upper layers between the TLS end-points. Channel Bindings is straitforward
and well-defined mechanism how to authenticate other layers.
Following two attributes were added primary for the possible plugins
extensions.
Attribute
tls_ekm: Exported Keying Material
Configuration
EKM is generated when *.ovpn contains following for each TLS negotiation.
example.ovpn:
{
# TLS Keying Material Exporter [RFC 5705]
#
# Note that exporter labels have the potential to collide with existing PRF
# labels. In order to prevent this, labels SHOULD begin with "EXPORTER".
keying-material-exporter-label "EXPORTER_OPENVPN"
# Export len bytes of keying material (min. 20)
keying-material-exporter-length 20
}
Use Cases:
1) Authentication of upper layers (like Kerberos etc)
2) Authentication of VPN's TLS channel using QRCODE and device such as
smartphones.
(Instead of user/pass dialog TLS VPN client could show for example QRCODE
based on keying material derivate)
3) Authentication of Binding Key in confidental side-channel can be also used
and avoid/detect MITM (MITM provides his public key and that's reason why
authentication of binding key will fail)
openvpn-ekm.patch
Description: Binary data
