On 15/12/16 20:05, Magnus Kroken wrote: > Hi Kevin > > On 14.12.2016 07.54, Kevin Long wrote: >> Assuming an adversary has full access to intercept your network traffic, >> and virtually limitless computing power, What would you do to make the >> best OpenVPN setup? > --snip-- >> 1. Use easy-rsa3 or equivalent openssl commands to generate your >> keys/certificates using elliptic curve (instead of RSA). > > Keep in mind that if you don't generate each private key file on the > device it will be used, you need a secure channel to move it to the > target device. I suppose you are aware since the subject is specifically > "cryptographic security", but as easy-rsa provides convenient commands > like build-client-full it is easy to miss.
While that is true ... you should still be very vary of which device you do generate the keys (and dh params) on. If you have a shabby random number generator and no entropy gathering configured, those keys can be fairly poor. This goes in particular for embedded devices, but also in some cases also includes virtual machines (depends on if the hypervisor provides some reasonable RNG interface the VMs can use). Generally speaking, you get best randomness running on real computer hardware. > Cryptography is just one layer - a very important one, but there are > many other ways to break security. Good advice! But I'd still claim that the crypto layer is the most critical one, as the traffic between your VPN server/clients can be sniffed up on networks out of your control. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
