I have a simple question regarding OpenVPN protocol. Let's suppose we have two different users, with different keys for the same server, and both keys 1024bits. If this two users make the exactly same request, and someone is sniffing the data on server, this person (the sniffer) will see the same data for both users or different data? The question is to know if the user's private key interferes in the cryptography AFTER the authentication or if is used only in authentication time. Thank you.
Asked
Active
Viewed 3,215 times
8
-
With any semantically secure encryption, the encrypted data will be different even if both key and data are identical. So your question could be restated more precisely as "Does the OpenVPN protocol use semantically secure encryption?". Also, with some encryption modes any data you transfer will influence the encryption of data send later. Thus even if the key is only used initially, it would still influence how the encrypted data look throughout the connection. – kasperd Aug 03 '14 at 08:55
2 Answers
10
If this two users make the exactly same request, and someone is sniffing the data on server, this person (the sniffer) will see the same data for both users or different data?
Different data.
The question is to know if the user's private key interferes in the cryptography AFTER the authentication or if is used only in authentication time.
The public/private keys are only used during authentication/key negotiation.
OpenVPN can operate in one of two modes, a pre-shared key or using TLS with certificates. The pre-shared key is static, constant, but you are asking about the certificate mode.
I'm not going to go into too much detail, and you can look up TLS yourself, but basically TLS uses the certificates (and private keys) for authentication and during the key negotiation phase. It generates a symmetric encryption key (e.g. BlowFish, AES, etc.) and uses public-key cryptography to share that key securely.
Actual messages are then encrypted with symmetric encryption. Each session has its own independent encryption key (so if you disconnect and reconnect you actually end up with a different key). Likewise, every user will have different sessions and therefore different keys.
There are two reasons for doing this. Symmetric encryption is considerably faster than asymmetric encryption, so is preferred for high throughput (the difficulty is key sharing, which the negotiation phase solves). Also, by generating a new key every time, it's harder for compromised keys to reveal other sessions' data (FS).
Bob
- 1,556
- 12
- 17
-
Ah, there we go - the answer that I was in the process of writing, only much more clearly expressed. +1 from me. – MadHatter Jul 22 '14 at 07:59
-
+1 and accepted as answer. Your answer was very valuable, and cleared my questions. Thank you – user2864778 Jul 22 '14 at 14:15
1
Each client will crypto his data with the negotiated key between client and server, so the data received on the VPN gateway will be different for both users.
denisvm
- 222
- 1
- 4
-
2The first part is not correct. [OpenVPN uses TLS](http://openvpn.net/index.php/open-source/documentation/security-overview.html), which does not use public-key cryptography to encrypt messages. – Bob Jul 22 '14 at 07:57