[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwknop-discuss
Subject:    [Fwknop-discuss] fwknop-2.5 released
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2013-07-20 1:59:23
Message-ID: 20130720015923.GA29006 () cipherdyne ! org
[Download RAW message or body]

Hello All,

fwknop-2.5 has been released:

http://www.cipherdyne.org/fwknop/download/

The tutorial has been updated to reflect fwknop-2.5 changes:

http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html

This release now includes support for HMAC authenticated encryption, with
SHA-256 being the default digest algorithm though others such as SHA-512
are supported as well. The HMAC mode can be applied to SPA packets that
have been encrypted with either Rijndael or GnuPG, and the order of
operation is always encrypt-then-authenticate which is considered to be
the most secure option among all possible orders. Not only does using
the new HMAC mode provide a cryptographically strong authentication step
for SPA communications, it also affords a significant security benefit
because maliciously constructed SPA packets can be discarded before they
are even sent through decryption routines. I.e. HMAC verification is a
much more simplisitic operation than decryption, and therefore generally
less prone to programming bugs and potential security vulnerabilties.

There are many other enhancements in fwknop-2.5 as well such as usage of
the Coverity static analyzer, a new ~/.fwknoprc stanza saving feature
for fwknop client usage simplification, support for automatic
Rijndael+HMAC key generation with the --key-gen option, many test suite
improvements, an updated tutorial, and more. There is a robust roadmap
for fwknop, and new releases will come faster now that a solid
foundation is made upon HMAC authenticated encryption for SPA packets.

I wish to thank all who contributed to this effort - particularly Damien
Stuart, Franck Joncourt, Blair Zajac, Michael T. Dean, and Ryman.
Additional contributors are listed in the git history.

***** IMPORTANT *****: If you are upgrading from an older version of
fwknop, you will want to read the "Backwards Compatibility" section of
the fwknop tutorial available here:

http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#backwards-compatibility

In summary, it is possible to have a mixed environment of fwknop-2.5
clients and/or servers with older client and/or servers, but this
requires some configuration in order to work properly. On the server
side, the directive "ENCRYPTION_MODE legacy" will need to be added to
every access.conf stanza that uses Rijndael and that needs to support
SPA packets from pre-2.5 clients. On the client side when generating
Rijndael-encrypted SPA packets from a pre-2.5 server, the command line
argument "-M legacy" will need to be given. GnuPG operations are not
affected however and don't require the above steps whenever the new HMAC
authenticated encryption feature (offered in fwknop-2.5) is not used.

Here is the complete ChangeLog:

http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=ChangeLog;h=d30e6cad4977b314d99839b9b4c8b5eb4be63dbd;hb=7359acec2a86cabde637c0383b6bc4b6605058cc


Please let me know if there are any issues.

--Mike

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss


[prev in list] [next in list] [prev in thread] [next in thread]