Skip to content

Technical running of MyCrypNet

Published on
Modified on
MyCrypNet mobile ads banner

Needed files

The client software needs the following files:

  • a key/certificate duo (vpn.key/vpn.cert) signed with our certification authority set for OpenVPN, it is specific to each subscribed MyCrypNet access. It is a SSL compatible format working with the asymmetric algorithm RSA.
  • A configuration file (MyCrypNet.conf or MyCrypNet.ovpn), common to all users and client softwares but different according to operating systems (Mac OS®, Windows®, Android™, IOS®, Linux®). This file contains a dissipation key that acts against DDOS attacks. It also contains the public certificate of our certification authority, common to all clients and the server, also based on RSA. The key corresponding to that certificate is stored protected and never communicated to the rest of the infrastructure, it is used to sign clients and servers certificates.

Handshake (authentication and session)

This process provides the opening of a VPN session or the renegotiation of it, at least per hour.

Authentication

  1. The client software sends a packet with TLS headers signed with the dissipation key to the server trying to connect (SSL/TLS authentication).
  2. The server accepts or rejects it according to the validity of the dissipation key signature, reducing DDOS attacks risks. The TLS headers being light to generate, it provides a performant first authentication.
  3. The client software sends its certificate to the server.
  4. The server checks the certificate signature comparing it to the public certificate of the certification authority that it possesses and a crl (certificate revocation list) generated by the certification authority (currently internal but publishable in the future in order to invalidate servers with the client software).
  5. If the signature is right, the server sends its certificate to the client software.
  6. The client software checks the certificate signature by comparing with the public certificate of the certification authority it possesses (the crl will come later).
  7. If the signature is right, the client software and the server are sure on their mutual identities (as long as they trust the certification authority).

Session

  1. The encryption and signature checks by asymmetric key are heavy to calculate compared to the encryption by symmetric key and signature by hash. We generate a HMAC containing a session symmetric key and a hash. The Diffie Helmann protocol is used to generate that HMAC without communicating it:
    1. the client software sends a public base C to the server, a public prime number and a public part calculated from this base, this prime number and a secret c.
    2. the server sends to the client software a public part S calculated from the base and the prime number sent by the client software and a secret s.
    3. secrets from the client software and the server did not transit through the network. S*c = C*s = HMAC (working with the symmetric algorithm AES variant CBC for the key and SHA256 for the hash).
  2. The conversation starts.

Conversation (encryption)

This process provides the packets encryption during a VPN session.

  1. The client software sends an encrypted packet with the session symmetric key to the server and signed with the hash.
  2. If the packet has to go on Internet by an exit node, the server decrypts the packet with the session symmetric key, checks the origin and the integrity with the hash and processes it.
  3. The server encrypts the answer from Internet coming to the exit node.
  4. The client software decrypts the answer with the session symmetric key. It checks the origin and the integrity with the hash.

Cryptographic algorithms used

Other systems used

  • OpenVPN (https://en.wikipedia.org/wiki/OpenVPN): Open source software used to create the MyCrypNet network. It implements communication protocols quoted above (authentication, session and conversation).
  • OpenSSL (https://en.wikipedia.org/wiki/OpenSSL): Open source library used by OpenVPN. It provides the implementation of the algorithms quoted above and needed by the OpenVPN protocols.
MyCrypNet mobile ads banner
© 2015-2017 Coppint Market Place Ltd, All rights reserved. Legals