============================================
Virtual Private Network Daemon (vpnd) README
============================================
Intro:
======
Please make sure that you read all parts of this file. Make
sure that you understand the sections of this file relevant to you.
Legal:
======
This code is in the 'public domain' (*) under the GPL/LGPL,
see the headers of the source files for per source details.
Use in commercial environments is explicitely granted as
long as all sources and this README are made directly available
(i.e. no 'send mail to foo@bar.com for sources' or suchlike).
(*) 'public domain' is used here in the sense of the Wassenaar treaty.
The general legal notice valid for all elements of vpnd is:
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
The uppercase legal statement above was copied from
/usr/src/linux/drivers/char/random.c, I'm not a lawyer
and you have to cover yourself against some madness nowadays.
Purpose:
========
vpnd is a daemon which connects two networks on network
level either via TCP/IP or a (virtual) leased line attached
to a serial interface. All data transfered between the two
networks are encrypted using the unpatented free Blowfish
encryption algorithm (see http://www.counterpane.com/) with
a key length of up to 576 bits (may be downgraded to a
minimum of 0 bits to suit any legal restrictions).
vpnd is not intended as a replacement of existing secured
communications software like ssh or tunneling facilities
of the operating system. It is, however, intended as a
means of securing transparent network interconnection
across potentially insecure channels.
Features:
=========
Supports data compression when you have any of libgz.a
or libz.a on your system either in /usr/lib or /usr/local/lib,
as well as /usr/include/zlib.h or /usr/local/include/zlib.h,
the zlib package home page is located at
http://www.cdrom.com/pub/infozip/zlib/, use version 1.1.3 or later.
For Linux 1.x systems a simple random number generating
daemon is provided for systems which do not have any
other random number daemon running.
Details:
========
vpnd creates a SLIP interface on the local system and adds
up to nine static routes to hosts and/or networks to the
interface. It connects to its remote peer either over TCP/IP
or a serial line.
It transfers data blocks encrypted with Blowfish in CFB mode
and uses a 256 byte whitening ring buffer to make brute
force plaintext/ciphertext attacks more difficult.
A message is encrypted such that 64 bit CFB is used for
all complete 64 bit blocks of the message and 8 bit CFB
is used for the remaining bits of the message.
All bytes of the message are whitened by a 256 byte
whitening ring buffer after encryption. The contents of this
ring buffer is derived from the master key.
All data blocks transfered consists of a 4 or 18 byte message
containing a data header (4 bytes in case of fast checksum,
18 bytes in case of HMAC-MD5 authentication and 22 bytes in
case of HMAC-SHA1 or HMAC-RIPEMD160 authentication) and another
message containing the data.
To make things a bit harder for the potential analyst
the header datablock contains the low byte of the data
checksum as the first byte. This value will frequently
change and as it affects the encryption of the further
bytes of the header this offers in conjunction with
whitening some protection against attacks.
The master key is used only to to set up the whitening
ring buffer and then to secure the transfer of a random
key and random initialization vectors which actually
are then used for the session.
There are two master key file formats, the basic format
where the master key is stored in unencrypted form
and the extended format where the master key is stored
in encrypted form. For details see the appropriate
sections below.
Session keys are only generated by the server. The client
just generates its own initialization vector and sends
it to the server. All random data used for session key and
session initialization vectors is encrypted first in ECB mode
with the current key before usage to harden any weakness
that may be incorporated in the sytem's random number
generator.
vpnd uses rather hard means of synchronization: If any
error is detected the session is terminated and creation
of a new session is tried. This should be no problem
for communicaion over TCP/IP where the underlying
protocol takes care of securing the session. The same goes
for virtual leased lines over ISDN or real leased lines
as there are very low bit error rates. In case the
session is dropped vpnd usually builds the next session
fast enough for the transfered encrypted IP traffic
to resynchronize and continue.
Logging is performend by using the syslog with
facility daemon and priorities info and notice.
If you see any weakness in the protocol described above
except for root compromise please inform me (astmail@yahoo.com)
immediately. I will try to make this daemon as secure
as reasonable (best security is no data at all...).
Basic Master Key File Format:
=============================
The master key is stored in unencrypted form in a mode
0400 file owned by root:root. This file is never modified
by vpnd. This key file format is for use for vpnd connections
between unattended firewall systems which do not allow any
remote access and do firewalling and routing only.
This key file format can be seen as a serious security problem
but let me tell you: if your system already got compromised as
far as root access the attacker doesn't need the master key
file but is already able to sniff the paintext network traffic.
Extended Master Key File Format:
================================
The master key is stored in encrypted form in a mode 0400
file owned by root:root. The encryption key is the four
character string 'vpnd'. The encryption mode is CBC
(cipher block chaining). The required IV (initialization
vector) for decryption of the local master key is
stored unencrypted in the remote master key file.
The format of the extended master key file is as follows:
Offset Contents
----------------------------------------------------------
0 version identifier
1 reserved, 0
2 reserved, 0
3 transaction id
4-75 encrypted master secret for transaction id & 1 = 0
76-147 encrypted master secret for transaction id & 1 = 1
148-155 remote iv for transaction id & 1 = 0
156-163 remote iv for transaction id & 1 = 1
164-187 key identifier
188-255 reserved,0
----------------------------------------------------------
The session initialization mechanism in case the extended master key file
format is used is as follows after connection between client ans server
is established:
read master key file from disk, check version id, disconnect if wrong id
send transaction id and capabilities, client additionally sends identifier
receive transaction id and capabilities, server additionally receives identifier
server checks client identifier, disconnect if mismatch
compare remote and local transaction id:
if identical continue
if +-1 difference chose lower value and write syslog notice, continue
if >+-1 difference disconnect and write syslog notice, disconnect
send remote iv according to selected transaction id
receive local iv
decrypt master key according to selected transaction id
server generates session key and server iv, sends it to client
client generates client iv and sends it to server
server reads client iv
client reads session key and server iv
session key setup as usual
increment selected transaction id by 1, write it to memory
create new local iv
encrypt master key with new local iv, write it to memory, send iv to peer
receive remote iv, write it to memory
xor local and remote ivs, send result to peer
receive xored iv, compare to local xor, disconnect if mismatch
write master key file to disk
All communication before the master key is decrypted is done unencrypted.
All communication for session key and isession iv transfer is done encrypted
with the master key and ivs generated from 'local' and 'remote' parameters.
All communication after session key and session iv transfer is done
encrypted in CFB mode with the session key/ivs.
There are advantages and disadvantages for this file format. The major and
only disadvantage is that both client and server vpnd do modify the key
file for every successfully established session. This is usually not
desired for unattended, failsafe and tripwired firewall systems. In this
case you should use the basic key file format.
There are several advantages:
1. key id: The key id is checked prior to any data transmission by the
vpnd server. This helps to detect malicious connects even before
any cryptographic setup is done. Furthermore this key id will
be used for key management in a later software version.
2. capabilities: The capabilities exchanged between client and server
enable the run time negotiation of vpnd features. Currently
the enabling of compression as well as the method of message
authentication (checksum, HMAC-MD5, HMAC-SHA1, HMAC-RIPEMD160)
is negotiated.
Note that even though it may look desirable at a first glance
key length negotiation will never be implemented. First of all
negotiation may result in the maximum number of key bits requested
which may result in a legal problem for one of the two peers
involved. And if the minimum key bits are selected it may well
happen that accidentally no encryption at all takes place which
would be a serious security problem. Finally the plaintext
transfer of the key length used would make it very easy for
any man in the middle sniffing the data packets to decide whether
communication can be cracked (too short key length), or not.
3. stolen keys: First of all the master key can't be used without a
connection to the server. Note that even as the master key is stored
encrypted it is not stored encrypted in any legal sense as:
a) it is encrypted with a fixed four character key which is 'vpnd'
b) the required iv to decrypt the key is stored unencrypted
c) the required iv to decrypt the key is transmitted unencrypted
Still nobody can steal and actively use a master key file undetected:
a) If a stolen master key file is used once a 'transaction id mismatch'
syslog notice will be issued on client and server when the
valid user or intruder connects. Note that this notice is possible, too,
if the client or the server do crash before the modified master
key file of a session is physically written back to disk but
after all we're talking Unix here and even in case a system crashes
this will not go unnotified, so a system administrator can
distinguish between a crash and an attack.
b) If a stolen key is used more than once by the intruder the valid
user will no longer be able to connect to the server. This will
for sure be detected.
c) If a stolen key is used more than once by the valid user before
the intruder uses the key the intruder will no longer be able to
connect to the server. Any attempt will for sure be detected.
The only means to use a stolen key file is to monitor all traffic
between client and server and to extract the proper iv for the
key file when the next session between client and server is established.
The intruder then has the master key. What comes next is valid both
for basic and extended key file format: Even though the intruder now
has the master key all traffic between client and server must be monitored
to extract the session key from the traffic. So any intruder must
first gain root access to client or server and steal the key file.
Then all traffic between client and server must be monitored.
If an intruder has both capabilities the intruder will already
have the capability to sniff all unencypted network traffic on
either client or server so any further precautions against such
passive attacks don't make much sense.
User Password for Extended Master Key File Format
=================================================
First things first: when extended master key files are created there
is no user password. The reason is that the key files are supposed
to be used in unattended mode. However it may be desired to set
a user password, either for transfer of the key to the peer or
if vpnd is started interactively or if e.g. a key server is used.
The basic mechanism for user passwords within vpnd is to create
the required key schedule directly from the given password and
then to clear the password. There is no need to hash the user
password first - as only the two master keys which consist of
random numbers are encrypted and there is no mechanism to verify
any password except than to connect to the peer and see, if
the local decryption actually was done with the right password
plaintext attacks are not possible. Furthermore decryption
attempts will be detected and logged on the peer system so
such an attempt will for sure be detected. The minor drawback
is that you will have to remember the password precisely, especially
when you use the password modifying feature of vpnd. Any combination
of old and new password is accepted but if you enter the wrong
values, you will never again be able to connect to the peer with
this key. I do believe this to be reasonable enough, you just have to
to be careful enough when remembering and entering the password.
Now for the practical side: use 'vpnd -c <pathname-of-keyfile>'
to set, modify or remove a user password for the given keyfile.
If you want to set a password for a key file with no password
just press the 'enter' key when prompted for the old password
and enter the new password when prompted for the new password.
If you want to remove a password for a key file with a password
enter the current password when prompted for the old password and
just press the 'enter' key when prompted for the new password.
If you want to modify a password for a key file with a password
enter the current password when prompted for the old password and
enter the new password when prompted for the new password.
Now that you have set a user password for the master key file
you need to start vpnd with and additional '-p' parameter as
vpnd has no way to detect if a user password has been set or not.
if you start vpnd with the additional '-p' parameter you are
prompted to enter the password except when standard input of vpnd
is a pipe. In this case the password is read from standard input
(this is useful in combination with any kind of key server).
The only way to find out if the password entered is correct is
when the next connection with the peer succeeds (see above).
For a short description of the '-c' and '-p' parameters
use 'vpnd -h'.
New Versions, Updates:
======================
Main site: http://sunsite.auc.dk/vpnd/
Mirror site: http://www.crosswinds.net/~anstein/unix/vpnd.html
Current development versions may be retrieved through anonymous CVS.
See the URLs stated above for details.
A mailing list for vpnd is available, see the URLs above for details.
Author:
=======
Andreas Steinmetz, http://www.crosswinds.net/~anstein/
Copyright:
==========
Andreas Steinmetz, http://www.crosswinds.net/~anstein/
D.O.M. Datenverarbeitung GmbH, http://www.domdv.de/
Contact:
========
Please send any bug reports, enhancements or ports to astmail@yahoo.com
Operating Systems:
==================
Linux 1.2.x (1.2.9 tested)
Linux 2.0.x (2.0.35 tested)
Linux 2.2.x (2.2.9 tested)
FreeBSD 3.3
Porting:
========
If you want to port vpnd to any other Unix system feel free to do so.
Please contact me (astmail@yahoo.com) so that the sources can be
merged. If you want to port to a non-Unix system still feel free to
do so but be warned: I will merge sources in this case only if you
can convince me that the system you port to can be secured sufficiently
against attacks which is, in my opinion, not the case for all M$
operating systems.
Build:
======
Do a ./configure, then do a make. The resulting file will be named vpnd.
If you use a Linux 1.x system an additional file named randomd will be created.
Install:
========
Copy vpnd (and randomd if it is required) to any directory you like.
Copy vpnd.conf and vpnd.chat to /etc or copy those files to any other
directory when you use the -f option of vpnd (see later). Note that
vpnd.conf and vpnd.chat must be at least mode 644 and be owned by
root:root.
Configuration:
==============
For Linux 1.x systems without any other random number
generator you must start randomd before vpnd can be used. In this
case you must create a soft link from /dev/random to /dev/randomd.
For Linux 2.x systems make sure that /dev/random (character device,
major 1, minor 8) exists.
For FreeBSD you may need to use the rndcontrol utility to enable
some interrupts for random number generation as your system otherwise
may lack sufficient entrophy to generate a key.
Now generate a basic format master key with the vpnd -m command or
extended format master key files with the -x command (for key generation
vpnd will use only /dev/random as the random data source). In case
of -x you have to specify a directory where two files, vpnd.lcl.key
and vpnd.rmt.key are created. Use vpnd.lcl.key on the local system
and transport vpnd.rmt.key by secure means to the remote system.
Then use vpnd.rmt.key on the remote system. Note that except for
connections between unattended firewall systems the use of the
extended format master key files is strongly encouraged. Make sure
you read the user password section for this file format above.
Configure vpnd.conf and vpnd.chat to suit your requirements, see
the documentation included in these files as well as the examples
provided in the samples directory.
Note: do never use the key provided in the samples directory except
maybe for an initial test. Otherwise anyone can decrypt all the
data transfered by your vpnd.
Some hints:
1. Use the 'autoroute' option only for Linux 2.2.x kernels.
This option is ignored for FreeBSD.
2. If you all of sudden can't connect to the your peer anymore
(crypto init failures) your system may lack entrophy, try
to use 'randomdev /dev/urandom' in this case. This should
be still secure enough (see the random.c source of the
Linux kernel) and you won't have problems connection
to your peer anymore.
3. Make sure the 'keysize' option has the same value on both
the client and the server system or that the option is
not given on both systems.
4. 'local' and 'remote' relate to the local and remote ip
of the slip interface created by vpnd whereas 'client'
and 'server', if given as an ip, refer to the actual
system network ips.
5. For connects from a dynamic ip client to a fixed ip
server use 0.0.0.0 for the client ip.
6. You can't test vpnd client and server functionality on
one system, two systems are required
7. Have a look at the 'suspend', 'connwait' and 'sendbuf'
options when you use vpnd on a dialup client system.
8. See the configuration examples in the samples and the
dynamic-ip-client directories
9. If you get slip interface errors make sure that cslip
is enabled together with slip in the kernel/slip module
or use the 'nocslip' option
10. If you still have problems or want to report a bug
preferably use the vpnd mailing list (vpnd@sunsite.auc.dk)
as I'm not available from time to time and someone on the
list may be able to help you.
Use:
====
Execute vpnd -h for a list of available options. You should first try
the TCP/IP communication version of vpnd to learn how to configure
vpnd properly. When you use vpnd with a (virtual) leased line
attached to a serial interface the -t option allows you to test
the modem initialization chat script.
A final word:
=============
When you rely only on vpnd to secure your communications - just better
don't use vpnd at all. If one of the two systems involved in the vpnd
communication gets compromised the whole bridged LAN may be compromised
and at least all traffic painfully transfered encrypted can be easily
sniffed in the plain version. Secure your systems first, then use vpnd!
Use firewalls, passive and active intrusion warning and detection
systems, don't rely on a single layer of security, always assume that
a security layer can be penetrated. Use multiple layers and examine
your system logs carefully and regularly. Don't ignore any unusual
activity, investigate. And never, never log into your system as
root by default, su only when and if it is really necessary.
distrib
>
Mandriva
>
8.2
>
i586
>
media
>
contrib
>
by-pkgid
>
b925ecbdbd8b3c79875000359b742194
>
files
>
5
