Functionalities of MyCrypNet.
If you want the technical informations for MyCrypNet, take a look here.
The client software needs the following files:
- a key/certificate duo (vpn.key/vpn.cert) signed with our certification authority set for OpenVPN, it is specific to each subscribed MyCrypNet access. It is a SSL compatible format working with the asymmetric algorithm RSA.
- A configuration file (MyCrypNet.conf or MyCrypNet.ovpn), common to all users and client softwares but different according to operating systems (Mac OS®, Windows®, Android™, IOS®, Linux®). This file contains a dissipation key that acts against DDOS attacks. It also contains the public certificate of our certification authority, common to all clients and the server, also based on RSA. The key corresponding to that certificate is stored protected and never communicated to the rest of the infrastructure, it is used to sign clients and servers certificates.
Handshake (authentication and session)
This process provides the opening of a VPN session or the renegotiation of it, at least per hour.
- The client software sends a packet with TLS headers signed with the dissipation key to the server trying to connect (SSL/TLS authentication).
- The server accepts or rejects it according to the validity of the dissipation key signature, reducing DDOS attacks risks. The TLS headers being light to generate, it provides a performant first authentication.
- The client software sends its certificate to the server.
- The server checks the certificate signature comparing it to the public certificate of the certification authority that it possesses and a crl (certificate revocation list) generated by the certification authority (currently internal but publishable in the future in order to invalidate servers with the client software).
- If the signature is right, the server sends its certificate to the client software.
- The client software checks the certificate signature by comparing with the public certificate of the certification authority it possesses (the crl will come later).
- If the signature is right, the client software and the server are sure on their mutual identities (as long as they trust the certification authority).