Articles about encryption techniques.
If you want the technical informations for Limawi, take a look here.
The running of SSL/TLS
SSL/TLS is a protocol that provides server identity verification (for instance a web server like Limawi, in that case we speak about https because the protocol to access a web server is called http). This identity verification works with a certificate sent from the server.
Here is the protocol step by step (technical terms are present in the graphs):
- The client software asks the server its identity.
- The server sends a certificate signed by the certification authority trusted by both the client software and the server to the client software.
- The client software checks if the signature belongs to the certification authority it trusts.
- It sends a request to this certification authority to check if it ensures that the certificate is still valid.
- The client software and the server agree on a session key that will encrypt informations during a limited period (this time passed, another session key will take the place, the details for Limawi are explained in the graphs about the session key).
- The client software and the server can communicate in a secure way.
The HSTS extension
The HSTS extension is a http protocol extension (the protocol that loads webpages) reinforcing the SSL/TLS use.
If you want the technical informations for MyCrypNet, take a look here.
The client software needs the following files:
- a key/certificate duo (vpn.key/vpn.cert) signed with our certification authority set for OpenVPN, it is specific to each subscribed MyCrypNet access. It is a SSL compatible format working with the asymmetric algorithm RSA.
- A configuration file (MyCrypNet.conf or MyCrypNet.ovpn), common to all users and client softwares but different according to operating systems (Mac OS®, Windows®, Android™, IOS®, Linux®). This file contains a dissipation key that acts against DDOS attacks. It also contains the public certificate of our certification authority, common to all clients and the server, also based on RSA. The key corresponding to that certificate is stored protected and never communicated to the rest of the infrastructure, it is used to sign clients and servers certificates.
Handshake (authentication and session)
This process provides the opening of a VPN session or the renegotiation of it, at least per hour.
- The client software sends a packet with TLS headers signed with the dissipation key to the server trying to connect (SSL/TLS authentication).
- The server accepts or rejects it according to the validity of the dissipation key signature, reducing DDOS attacks risks. The TLS headers being light to generate, it provides a performant first authentication.
- The client software sends its certificate to the server.
- The server checks the certificate signature comparing it to the public certificate of the certification authority that it possesses and a crl (certificate revocation list) generated by the certification authority (currently internal but publishable in the future in order to invalidate servers with the client software).
- If the signature is right, the server sends its certificate to the client software.
- The client software checks the certificate signature by comparing with the public certificate of the certification authority it possesses (the crl will come later).
- If the signature is right, the client software and the server are sure on their mutual identities (as long as they trust the certification authority).