From 693bd13fa723b8d5077539a7208f759c51c04a06 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 11 Dec 2016 12:07:50 +0100 Subject: [PATCH] Use SHA-256 instead of SHA-384 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks to David_5.1 (https://angristan.fr/mise-a-jour-de-mon-script-openvpn/#comment-2750) who pointed out that there was a mistake on the Wikipédia page of the Length extension attack (https://en.wikipedia.org/wiki/Length_extension_attack), and it was affecting all the SHA2 family, not just SHA256. It's a theoretical attack though. I didn't find any reason to use one member of the SHA2 family more than an other, so I switched to SHA-256 for now. --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5a33ff2..c2b068c 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ In OpenVPN 2.4, we will be able to use an ECDSA certificate. This algorithm uses OpenVPN uses SHA-256 [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L192). -However SHA-256 is vulnerable to the [Length extension attack](https://en.wikipedia.org/wiki/Length_extension_attack). OpenVPN supports MD5 and SHA-1, but they're also vulnerable. This leaves us with SHA-384 and SHA-512. I didn't find any reason to use SHA-512 over SHA-384, so I've chosen SHA-384. +It also supports SHA1 and MD5, which are unsafe, and all the SHA2 family. I didn't find any reason to use something other than SHA-256 in the SHA2 group, so the script still uses the default hash algorithm. ### Data channel's cipher @@ -205,9 +205,9 @@ According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardenin - TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 - TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 -AES GCM is more secure than AES CBC, and AES 128 is secure enough today. However, the AES-256-GCM cipher uses SHA-384 and the AES-128-GCM one uses SHA-256, however SHA-256 is vulnerable to the [Length extension attack](https://en.wikipedia.org/wiki/Length_extension_attack). Also, the control channel is a low-bandwidth channel so the ~40% speed difference between AES 128 and 256 bits is nigligible. +AES GCM is more secure than AES CBC, and AES 128 is secure enough today. I didn't find any security difference between SHA-256 and SHA-384 so we're going to use SHA-256. -Thus, I have chosen `TLS-DHE-RSA-WITH-AES-256-GCM-SHA384` as the control channel cipher. +Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel cipher. ### Diffie-Hellman key @@ -224,9 +224,7 @@ To quote the OpenVPN wiki : >Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext. -As said before, anything lower than SHA-256 is weak, and SHA-256 itself is vulnerable. - -Thus I have chosen SHA-384 for the HMAC authentication digest algorithm. +SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. ### TLS-Auth