-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/09/14 10:15, Gert Doering wrote: >> But to get to the point, that if I setup openvpn on my droplet >> and let's say an evil admin sniffing my traffic for 3 months with >> tcpdump then decides to decrypt that traffic what tools does he >> have (if any to do this). At this point he has a pcap file and >> the openvpn server certificates and keys. > > Now that is easy - OpenVPN does PFS, so the stored keys won't help > decrypt sniffed session traffic.
If an attacker have sniffed the complete handshake and is in possession of the keys, I believe it is a theoretical possibility to compromise the key exchange handshake. Which again gives you the access to the tunnel data. If the attacker in addition have access to client keys, then this process goes even faster. But it is correct that you don't get the raw key out of the handshake. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQigC0ACgkQDC186MBRfrrwGwCbBxX3NGm6CqsaHTSdJjO+gRqS 8HsAmwet8HLyrGFnEQUuHml/y62/wxvI =flwL -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
