OpenVPN with Duplicate Client Certificates & Keys

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

OpenVPN with Duplicate Client Certificates & Keys

Post by Kiros72 on Tue Dec 28, 2010 5:17 am
([msg=51247]see OpenVPN with Duplicate Client Certificates & Keys[/msg])

I'm vaguely aware of how SSL works, but this tactic doesn't seem secure to me. Imagine this scenario:

There is a free OpenVPN service that uses OpenSSL (Easy-RSA) to generate its own ca.crt (the server's CA certificate with public key) and ca.key (the server's private key). The organization also generates one client.crt (client's certificate with public key) and one client.key (client's private key). Then they package the ca.crt, client.crt, and client.key files with their custom OpenVPN installation package, and the certificates and keys never change. Every person who uses this organization's VPN service will have the same client certificate, the same public key, and the same private key (as well as the same protocol and cipher). Lastly, these items of interest can be acquired simply by filling out a registration form and installing their software.

This sounds like a huge vulnerability to me, but I'm only a novice as far as networking goes, if that. The reason I think this isn't protecting data is because if someone who is "listening" to your connection has the same public keys and private key available, couldn't they decrypt your communication with the server? But please, let me know what you guys think. Is such a setup still secure? And if it really is still secure, why/how? Does SSL create a purely unique key upon connection, even with the same client certs and keys being used? o.O

Thanks for reading. I hope to see your opinions and learn more about VPNs and SSL.
Kiros72
New User
New User
 
Posts: 1
Joined: Tue Dec 28, 2010 4:47 am
Blog: View Blog (0)


Re: OpenVPN with Duplicate Client Certificates & Keys

Post by OnlyHuman on Tue Dec 28, 2010 5:27 am
([msg=51249]see Re: OpenVPN with Duplicate Client Certificates & Keys[/msg])

You're right. That would be extremely dangerous. But, who would do that? Throughout most of public key cryptography, key pairs (public AND private) are generated on a per client basis. Otherwise, it defeats the purpose, almost exactly to the letter how you described it. I can't say that 100% of organizations follow this, but if they don't, they're definitely fooling themselves as far as their security is concerned.
OnlyHuman
Poster
Poster
 
Posts: 191
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)



Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests

cron