Project:Sandbox

TLS Control channel security
This menu appears automatically if TLS Authorization mode is selected.

This option specifies how FreshTomato will generate the tls-auth configuration parameter where a direction constant needs to be given. This decides which set(s) of HMAC keys will be used (HMAC-send, cipher-encrypt, HMAC-receive, cipher-receive).


 * Disabled —  No tls-auth will be used on the server. No direction is set.
 * Bi-directional Auth — [Direction] is set to 2.  The HMAC-send and cipher-encrypt keys will be used. &nbsp
 * Incoming Auth (0) — [Direction] is set to 0.  HMAC keys won't be used on this server.   However, they may be used on remote endpoints.
 * Outgoing Auth (1) — [Direction] is set to 1.   The HMAC-send  HMAC keys will be used.
 * Encrypt Channel — [Direction] is set to 3.  The HMAC-send, cipher-encrypt, and HMAC-receive HMAC keys will be used.
 * Encrypt Channel v2 — [Direction] is set to 4.  HMAC-send, cipher-encrypt, HMAC-receive and cipher-receive will all be used.

TLS requires a multi-packet exchange before it authenticates a peer. During this exchange, OpenVPN allocates memory and CPU resources to the potential peer. The potential peer exposes parts of OpenVPN and the OpenSSL library to the packets it is sending. Most successful network attacks today try to to either exploit bugs in programs (such as buffer overflow attacks) or force a program to consume so many resources that it becomes unusable. The first line of defence is always good programming. One of the main goals in writing OpenVPN was to prevent buffer overflow attacks. However, many of the most widely-used network applications still occasionally fall to buffer overflow attacks.

OpenVPN's second line of defence is an authentication layer on top of the TLS Control channel. At this layer, every packet on the control channel is authenticated by an HMAC signature and a Unique ID. This prevents replay attacks. The signature also helps protect against Denial of Service (DoS) attacks. When an unauthenticated client has limits on how much resources it can use, there is less vulnerability to DoS attacks.

Enabling TLS Control Channel Security makes FreshTomato sign every control channel packet with an HMAC signature. This includes packets sent before the TLS layer has authenticated its peer. Packets without the correct signature will be immediately dropped on receipt. In this way, such packets don't have a chance to consume additional system resources.

However, the feature is optional. The key file used with –tls-auth gives a peer only the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data. Encrypt Channel should be used instead if you want to use the key file to both authenticate and encrypt the TLS control channel.

(Default: Disabled).

Auth Digest
Auth Digest (Authentication Digest) is an authentication system which reduces the risks of the plaintext method used with Basic authentication. With Auth Digest, the client sends a hash of its data over the network. Thus, the client's user name and password are never sent in plaintext over the network. This reduces the risk that logon credentials could be snooped.

If Auth Digest is set to a value other than None, OpenVPN will authenticate data channel packets and tls-auth control channel packets with HMAC. To do this, it will use a message digest algorithm (SHA1, by default ). HMAC is a common Message Authentication Code algorithm (MAC) that uses a data string, a secure hash algorithm, and a key to produce a digital signature.

The OpenVPN data channel protocol uses Encrypt-then-Mac order. A packet is first encrypted, then the resulting ciphertext has HMAC applied against it. This helps prevent padding oracle attacks.

If an AEAD cipher mode (e.g. GCM) is chosen, the specified –auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.

In Static Key encryption mode, the HMAC key is included in the key file generated by –genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC, it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. To disable authentication, set alg=none.

For basic information on HMAC, see: https://www.tutorialspoint.com/cryptography/message_authentication.htm

For a more advanced discussion, see: http://www.cs.ucsd.edu/users/mihir/papers/hmac.html