Recently, in the news, Tech In Asia reported that the VPN provider ExpressVPN and Astrill were using the certification authority (CA) certificates generated from the 1024-bit keys. In 03, the keys of 1024 bits were shown to be crackable by 2010, and the current research estimates that the keys of 1024 bits can be brute-force today by the resources available to the State actors -nation. Since the service offering OpenVPN and IPsec VPN in 2010, Golden Frog has always used the 2048 bit keys for both CA certificates and keys used to encrypt the VyprVPN connections. Security researchers predict that 2048-bit keys will be sufficient until about 2030.
So, specifically, what is wrong with the key used by ExpressVPN 1024 bits and why should he worry about VPN clients? To encrypt the connection VPN ExpressVPN using 2048-bit keys, so that the data has been protected to a higher level. As with all things related to security, however, the answer comes down to trust.
In an OpenVPN connection, the certificate authority (CA) certificate allows the OpenVPN client that the VPN server is who he claims to be. The identity of the VPN server is signed by the CA key, and the CA certificate, the client can verify that a third party, trusted (certificate authority) has vouched for it. This confidence is based on the authority that the only access to the key CA. If someone unrelated authority also had access to the key, they could create and sign their own server certificates - and the servers would be just as reliable as the authority. No one could tell the difference, so that nobody could trust the server is really who he says he is.
Accordingly, the CA key is very important to the VPN server trust chain, and it is equally important for all those who want to pretend to be the VPN server. One way for someone else to get the key is to guess. If someone guesses all possible keys, one of them will be the right key. We call this a brute force attack, and large key sizes, brute force attacks are computationally huge. A 1024-bit key requires 2 1024 , or 1e + 308 (1 followed by 308 zeros), guess. Even for clusters faster computers we have today, it would take longer than the current age of the universe. algorithmic attacks can substantially reduce the number of necessary assumptions, however. Researchers now believe that for a few hundred million dollars, someone could set up a system powerful enough to break a specific 1024-bit key in a year or less computer. With the key guessed, that person or group can create their own VPN servers claiming to be the real VPN servers and decrypt all traffic. Since the same CA key is usually used for all VPN servers from a vendor they can effectively decipher all VPN traffic to all servers, without the user's knowledge. This is called a man-in-the-middle attack, and it is the most effective method for large scale monitoring encrypted data.
Thus, although your data is encrypted in transit, data can go to a malicious third party can decrypt the data upon arrival using attack man-in-the-middle. Data encryption is worthless if the CA key can be cracked. It is the equivalent of putting all your documents in a secure mailbox, then sending the lockbox to your enemy who stole the key.
keys to low AC are even worse than weak encryption keys, because they control the whole kingdom. Tech In Asia rightly questions whether VPN Chinese users of these providers should be worried, because China is easily capable of performing both calculations of gross and subsequent strength man-in -the-middle attacks needed to decrypt the VPN traffic. VyprVPN is immune from that at the moment, and we will continue to update our systems and configurations follow the current best practices to stay safe in the future.
More in this blog by former Google engineer Mark Brevard.
Update - February 16, 2016
ExpressVPN reported on their blog that they were rolling on new security settings for all of their applications to address the key issue CA.
0 Komentar