Elliptic curve support

In version 2.4 of OpenVPN support was added for using elliptic curve (EC) certificates instead of the more common RSA type certificates. Elliptic curve cryptography (ECC) provides a fast method for encrypting and authenticating a secure connection, but are not widely used yet. In part, this is due to some patenting issues. As most modern OpenSSL libraries provide ECC support, however, OpenVPN can also use EC certificates. The main advantage of ECC is that you can provide smaller keys to achieve the same level of security than with the more common RSA and DSA type encryption. This will result in a better VPN performance without sacrificing security. As we will see in this recipe, OpenVPN's control channel can be authenticated using an EC algorithm. The data channel is still authenticated using a non-EC HMAC algorithm, such as SHA1.

Getting ready

For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4.0. The client was running Fedora 22 Linux and OpenVPN 2.4.0.

How to do it...

  1. We first need to generate a new EC-based Certificate Authority:
        $ export KEY_CN=
        $ export KEY_OU=
        $ export KEY_NAME=
        $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl-
            1.0.0.cnf
        $ openssl ecparam -out cakey_temp.pem 
             -name sect571k1 -text -genkey
        $ openssl ec -in cakey_temp.pem -out ec-ca.key -aes256
        $ openssl req -new -x509 -out ec-ca.crt -key ec-ca.key
             -days 3650 -sha512 -extensions v3_ca
             -subj "/C=US/O=Cookbook 2.4/CN=Elliptic Curve CA"
    

    This will result in an ec-ca.crt and ec-ca.key file using the sect571k1 elliptic curve that we will use to sign the EC-based client and server certificates.

  2. Next, generate the new EC server certificate:
        $ openssl req -nodes -sha512 -newkey ec:ec-ca.crt
             -new -days 400 -out ec-server.req 
             -keyout ec-server.key
             -subj "/C=US/O=Cookbook 2.4/CN=ecserver"
        $ chmod 600 ec-server.key
        $ openssl x509 -req 
            -extfile $OPENSSL_CONF 
            -extensions server
            -out ec-server.crt -sha512 -CA ec-ca.crt 
            -CAkey ec-ca.key  -in ec-server.req 
            -set_serial $RANDOM
    

    This will result in an ec-server.crt and ec-server.key file.

  3. Similarly, generate the new EC client certificate:
           $ openssl req -nodes -sha512 
               -newkey ec:ec-ca.crt
               -new -days 400 
               -out ec-client.req -keyout ec-client.key
               -subj "/C=US/O=Cookbook 2.4/CN=ecclient"
           $ chmod 600 ec-client.key
           $ openssl x509 -req -extfile $OPENSSL_CONF 
               -extensions usr_cert
               -out ec-client.crt -sha512 -CA ec-ca.crt 
               -CAkey ec-ca.key -in ec-client.req 
               -set_serial $RANDOM
    

    This will result in an ec-client.crt and ec-client.key file.

  4. Create the server configuration file:
            proto udp 
            port 1194 
            dev tun 
            server 10.200.0.0 255.255.255.0 
     
            ca   /etc/openvpn/cookbook/ec-ca.crt 
            cert /etc/openvpn/cookbook/ec-server.crt 
            key  /etc/openvpn/cookbook/ec-server.key 
            dh   /etc/openvpn/cookbook/dh2048.pem 
    

    Save it as example4-11-server.conf.

  5. Start the server:
          [root@server]# openvpn --config example4-11-server.conf
    
  6. Next, create the client configuration file:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
            dev tun 
            nobind 
     
            ca /etc/openvpn/cookbook/ec-ca.crt 
            cert /etc/openvpn/cookbook/ec-client.crt 
            key /etc/openvpn/cookbook/ec-client.key 
            verb 4  
    

    Then save it as example4-11-client.conf.

  7. Transfer the files such as ec-ca.crtec-client.crt, and ec-client.key to the client machine using a secure channel.
  8. Finally, start the client:
          [root@client]# openvpn --config example4-11-client.conf
    

    And observe the chosen control channel cipher:

            Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-
            AES256-GCM-SHA384 
    

    This shows that the control channel is protected using an ECDSA-based cipher.

How it works...

By generating an EC-based Certificate Authority and by using EC-based certificates OpenVPN can now support elliptic curve cryptography on the control channel. The data channel is still protected using the default cipher BF-CBC (Blowfish) and the default HMAC algorithm SHA1.

It should be noted that with RSA-based certificates the control channel cipher looks remarkably similar:

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 

It is not the "ECDHE" part which proves that ECC is used, but "ECDSA".

There's more...

It is also possible to choose different ECDH "curves". This is done by first listing the available ECDH curves on the OpenVPN server:

[root@server]# openvpn --show-curves
Available Elliptic curves:
[...]
secp112r1
secp112r2
secp521r1
prime192v1
prime192v2
[...]

And then by adding the option to the server configuration file:

ecdh-curve secp521r1

Elliptic curve support

Not all Linux distributions provide an OpenSSL library that supports elliptic curve cryptography out of the box. Notably RedHat-based and RedHat-derived distributions, such as RedHat Enterprise Linux, CentOS and Fedora explicitly disable ECC support. RedHat cites patent issues as the reason, but the "default" OpenSSL library ships with full ECC support.

As the Linux distributions used throughout this book are CentOS and Fedora, a custom build of the OpenSSL 1.0.2 library was made especially for this recipe.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.12.155.249