Page 5 of 5 « First 34 5
Reply
Thread Tools
momcilo is offline momcilo
2011-06-16 , 21:19
Posts: 673 | Thanked: 856 times | Joined on Mar 2006
#41
Originally Posted by fasza2 View Post
You got me confused now I had to check my .conf file; but
I think tls-auth /etc/openvpn/ta.key 1 stands for the dynamic one.
So the preshared ta.key file is needed probably for this very reason:
I should have been more precise. That configuration is static because both side know shared secret. This secret is never changed unless you change it manually on both sides.

Originally Posted by fasza2 View Post
In fact, I'm not really sure what the static key mode is. Is it the non-PKI one?
Just read the following:
http://openvpn.net/index.php/open-so...mentation.html

Originally Posted by fasza2 View Post
Now I'm not sure how exacly they implemented this; if hash is encryped seperate from data or together. But I know if an attacker changes a single bit in the packet the hash will fail.
I've stumbled somewhere on explanation of protocol, that states the payload is encrypted than HMAC-ed. The problem is that the HMAC value is known to attacker as well. In order to exploit it the attacker has to know the value of IV which is the pre-shared secrete between client and server, which allows creation of packets with valid HMAC.


Originally Posted by fasza2 View Post
The whole idea is that the server has to be able to be extract the hash from the packet in order to filter out dodgy UDP packets to save the cypher and the TCP/IP stack from further processing. Sort of not letting your 'pipe' get 'clogged'. Thankfully, this is just the first line of defence. That being said as long as the hash can be extracted from the packet it would be possible to encrypt them together, but I'll try to read up on this later.
Well its a handy pocket knife, not the double-handed sword.

Originally Posted by fasza2 View Post
PS: MD5 is not recomended due to vulnerabilities and some other problems.
SHA1 is getting fair share of attention as well.

There were some really good papers from Chinese regarding the reduction of brute-force attempts.
__________________
http://gpl-violations.org/faq/violation-faq.html
 

The Following User Says Thank You to momcilo For This Useful Post:
fasza2's Avatar
fasza2 is offline fasza2
2011-06-16 , 21:24
Posts: 187 | Thanked: 96 times | Joined on Sep 2010 @ London, UK
#42
Originally Posted by sr00t View Post
Oh I didn't understood where you were going. I totally agree with you. Thanks.
Momcio was saying that Nokia had to make compromises when they picked the browser. Something that has a forgiving licence like BSD and is relatively stable. They though didn't pay so much attention to security as they had a timeline to keep. I hope it makes more sense now
 

The Following 2 Users Say Thank You to fasza2 For This Useful Post:
fasza2's Avatar
fasza2 is offline fasza2
2011-06-16 , 22:55
Posts: 187 | Thanked: 96 times | Joined on Sep 2010 @ London, UK
#43
Here is what I could dig up(the last 2 were both from tls mode options):

'OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.'

'--tls-auth file [direction]
Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.

file (required) is a key file which can be in one of two formats:

(1) An OpenVPN static key file generated by --genkey (required if direction parameter is used).

(2) A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands.'

'It should be emphasized that this feature is optional and that the passphrase/key file used with --tls-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data.'

According to this the HMAC key is static and is not used in the authenication.(2048bit FYI)
Last edited by fasza2; 2011-06-16 at 23:23.
 
momcilo is offline momcilo
2011-06-17 , 06:53
Posts: 673 | Thanked: 856 times | Joined on Mar 2006
#44
As long as you don't encounter someone carrying pocket quantum
calculator, you'll be just fine.
__________________
http://gpl-violations.org/faq/violation-faq.html
 
fasza2's Avatar
fasza2 is offline fasza2
2011-06-17 , 16:12
Posts: 187 | Thanked: 96 times | Joined on Sep 2010 @ London, UK
#45
Originally Posted by momcilo View Post
As long as you don't encounter someone carrying pocket quantum
calculator, you'll be just fine.
Hehe, maybe not anytime soon. Mind you I heard of a system that hooks up different compuer systems sharing computing task over the internet to solve complicated, hence powerhungry mathematical problems. Unfortunately I can't remember it's name, but I heard it on one of the Linux podcasts out there. I wonder if a hacker could make any use of it
 
fasza2's Avatar
fasza2 is offline fasza2
2011-06-17 , 16:30
Posts: 187 | Thanked: 96 times | Joined on Sep 2010 @ London, UK
#46
Back to MicroB what alternatives we have? I mean solution, not browser.

Damn I hate closed source!
 
sr00t is offline sr00t
2011-06-17 , 23:25
Posts: 135 | Thanked: 75 times | Joined on Apr 2011 @ Buenos Aires, Argentina
#47
Originally Posted by fasza2 View Post
Back to MicroB what alternatives we have? I mean solution, not browser.

Damn I hate closed source!
Not too much, speaking of MicroB. It'll require more than 'mad skillz' to update it without having the closed-source core bits. You'll have to stick with Firefox Fennec or Opera. Last one is closed source but it has the quickest interval between updates. I dont list Chromium because is almost unusable, like Firefox Fennec that is REALLY REALLY slow.
I see Opera as the best browser for everyday use in Maemo (even if it's closed-source), and the most up-to-date one. I really doubt there are vulnerabilities for it. Sad thing is you'll be forced to use MicroB if you want Flash.
Another alternative is to use browsers in Easy Debian (wich I don't tested too much).
 
mikecomputing is offline mikecomputing
2011-06-17 , 23:58
Posts: 3,464 | Thanked: 5,107 times | Joined on Feb 2010 @ Gothenburg in Sweden
#48
Originally Posted by Captwheeto View Post
Turn off SSH if you're not going to use it. Also traffic is being sniffed more than a school girl in Japan. Don't log on to anything, general browsing should be fine as long as nobody does a redirect and exploits you from there.
not true I would prefer to sniff alot more on a schoolgirl i Japan than a N900
 
jd4200's Avatar
jd4200 is offline jd4200
2011-06-18 , 00:16
Posts: 451 | Thanked: 424 times | Joined on Apr 2010 @ England
#49
I haven't looked much into this; but, I bet there are many vulnerabilities in our current version of adobe flash, and maybe the stock web browser seeing as they haven't been updated in a long time.

I'd suggest using Opera whilst you are there, and blocking flash.

(Input would be appreciated if anyone can confirm the weakness of flash or microb).
 
Estel's Avatar
Estel is offline Estel
2011-06-18 , 16:39
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#50
And i suggest using Iceweasel via Easy Debian as mentioned before, cause opera is one f*** of annoying browser, not to mention closed source, so we can only guess if it's safe or not (ho ever i agree that it's probably safer than microB that wasn't updated in ages - but again, PROBABLY).

Also, i don't think You'll encounter many people prepared to attack microB, as N900 is (fortunately in this case) much less popular than android "kiddy" phones. Security through obscurity, that is Remember that even most talented "hackers" are as good in these situations, as "tools" they have with them. I don't suppose that anyone will write special script to hack you, even on Security Conference, just because hes annoyed that You got better handheld than her/his new 1k dolars one
 

The Following User Says Thank You to Estel For This Useful Post:
Reply
Page 5 of 5 « First 34 5

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 04:21.

Contact Us - Home - Archive - Top