On 11/23/2010 12:52 PM, SÅ‚awomir Krok wrote:
Hi
Is it possible to create locekd *.vpn file for Shrew which could be
imported and used to connect to end device, but couldn't be modified?
Something similar like in Netscreen client.
No. The short answer is that it would be difficult considering most of
the components of the VPN client are open source. When a client 'locks'
down configuration information, it still needs to be readable by the
tools that manage VPN connections. This means that if the information is
encrypted, the decryption key needs to be statically compiled into the
tools. This isn't secure.
The long answer is that to retain cross platform compatibility, the key
data and the method used to protect configuration info would be easily
obtained by looking at the source code. In reality, even if we only
included the key in a binary only distribution of the Windows client,
anyone who knows how to use a disassembler could reverse engineer the
protection format and extract the key data from a memory dump or the
binary itself. This is the same reason why the Shrew Soft client and a
number of other tools can import pcf files with so-called encrypted
pre-shared key information. The key data that protects the information
is static, and that key is well known. Its a common case of security by
obscurity even though in this case the secret isn't even that obscure.
If you don't believe me, do a quick google search for "pcf encrypted
group password" and you will quickly discover lots of tools similar to
this one ...
http://coreygilmore.com/projects/decrypt-cisco-vpn-password/
Hope this answers your question,
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
