在我的启用TLS的OpenVPNconfiguration中,我想使用tls-auth提供的附加安全性。 好消息是,它是否按预期工作。 但是,我对可选的key-direction参数(作为tls-auth选项的第二个参数或key-direction选项)有疑问。
configuration参数在联机帮助页中描述如下(版本2.3.x,相关代码片段):
--tls-auth file [direction] Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. file (required) is a key file which can be in one of two formats: (1) An OpenVPN static key file generated by --genkey (required if direc‐ tion parameter is used). (2) A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands. OpenVPN will first try format (1), and if the file fails to parse as a static key file, format (2) will be used. See the --secret option for more information on the optional direction parameter. ... (snip) --secret file [direction] Enable Static Key encryption mode (non-TLS). Use pre-shared secret file which was generated with --genkey. The optional direction parameter enables the use of 4 distinct keys (HMAC- send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks. When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption. The direction parameter should always be complementary on either side of the connection, ie one side should use "0" and the other should use "1", or both sides should omit it altogether. The direction parameter requires that file contains a 2048 bit key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any version of OpenVPN which supports the direction parameter, will also support 2048 bit key file generation using the --genkey option. ... (snip) --key-direction Alternative way of specifying the optional direction parameter for the --tls-auth and --secret options. Useful when using inline files (See sec‐ tion on inline files).
请注意,我没有使用静态密钥encryption模式,但仅显示--secret页代码段,因为它是由--tls-auth描述build议的。
我不明白这里的解释。 指定方向(服务器为0,客户机为1)时,安全性是否得到改善?
(这个回答是针对tls-auth按键的按键方向的具体使用,对于静态按键模式,请始终使用按键方向。
每个方向使用不同密钥的优点是,源自一个对等体的数据包永远不会被中间人攻击者重放回该对等体。 当然,底层的TLS和OpenVPN协议不应该接受这样的数据包,但是tls-auth的目标是提供(一些)保护,防止协议或实现中的错误,导致底层机制失败。