Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Eugen Leitl]

- Forwarded message from "James A. Donald"  -

Date: Fri, 11 Oct 2013 07:41:56 +1000
From: "James A. Donald" 
To: cypherpu...@cpunks.org, Giles Coochey 
Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations 
of VPNs can now be trusted?
Message-ID: <52571f24.4030...@echeque.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 
Thunderbird/24.0

On 2013-10-11 00:39, Eugen Leitl wrote:
> - Forwarded message from Giles Coochey  -
> 2. Cipher Selection - we're not all cryptoanalysts, so statements like
> 'trust the math' don't always mean much to us, given the reports in
> the media, what is considered a safe cypher? I recently switched from
> AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2
> to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800.
> Could that be considered overkill? What Cipher's are others using?
> Have any of you, who have been made recently aware of the media
> coverage recently, also changed your cipher selection? What kind of
> changes did you make?

Overkill is a rational and appropriate response to recent revelations.
NIST is actually out to get you, so you might as well put on a tinfoil
hat to be on the safe side.  Yes, there really is a gigantic
government conspiracy, no kidding.

While I am pretty sure AES and SHA 256 is perfectly safe, in view of
recent events, I would follow the lead of the highly competent
cryptographer Jon Callas,
http://www.mail-archive.com/infowarrior@attrition.org/msg10926.html
and use non NIST algorithms:

Use Twofish in place of AES if convenient to do so, and Skein hash in
place of SHA hash.



- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Gé Weijers]

On Thu, Oct 10, 2013 at 12:23 PM, Vick Khera  wrote:

>
>
> To list the "strong" ciphers only, use this: /usr/local/bin/openssl
> ciphers "TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL"
>


MD5 as a hash function has been broken, but that break (fast collision
search) is irrelevant for its use as a component of HMAC. HMAC-MD5 is still
acceptable for many uses, esp. on an ALIX board that's not very fast anyway.



-- 
Gé
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Vick Khera]

On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson  wrote:

> > Is there any mechanism to insert ciphers into Pfsense that are not
> currently supported?
>
> You have the source code.
>
> I, for one, am uninterested in non standards-compliant (and thus
> interoperable) implementations.
>

I personally choose the ciphers that are "hardware" optimized, since my
low-end home router (ALIX) gets me faster vpn performance when I do, and I
transfer files to/from office all the time. So if the GUI recommends XYZ
because it is hardware accelerated, I choose it.

That said, a lot of the panic-driven-secure-your-web-sites-against-the-NSA
instructions recommend enabling ciphers that use ephemeral session keys.
The OpenSSL included in pfSense 2.1 supports many of these. Type this
"/usr/local/bin/openssl ciphers" to see them all. The ones that end with
"E" in the first component are the ones with the ephemeral key-. Now, how
to convince the GUI to make use of these for IPsec or OpenVPN I do not
know. I'm sure you can do it via direct config file tweakage, though. I
think IPsec renegotiates keys every 60 minutes anyway, so they'd have to do
a lot of key breaking to snoop your data, unless they could predict your
keys or sneak a MitM attack on you.

To list the "strong" ciphers only, use this: /usr/local/bin/openssl ciphers
"TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL"
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Jim Thompson]

On Oct 10, 2013, at 4:49 PM, Giles Coochey  wrote:

> On 10/10/2013 15:04, Chris Bagnall wrote:
>> What made you change from AES to Blowfish, and is there any evidence to 
>> suggest that Blowfish is more 'secure' than AES?
>> 
> My understanding is that AES was championed by an agency which has received 
> recent bad-press.;-)

This is not an answer.   

> Blowfish was a contender to actually become AES wasn't it?

yes, but even Bruce Schneier, Blowfish's creator, is quoted in 2007 as saying 
"At this point, though, I'm amazed it's still being used. If people ask, I 
recommend Twofish instead.'

https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/

> I agree that I might see better performance with AES as it is supported in 
> hardware by many chipsets, and when selected all the contenders marked AES as 
> second best (after their own submissions of course...). I'm not saying it is 
> insecure, I'm just weary of the following:



> Is there any mechanism to insert ciphers into Pfsense that are not currently 
> supported?

You have the source code.

I, for one, am uninterested in non standards-compliant (and thus interoperable) 
implementations.

jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Jim Thompson]

On Oct 10, 2013, at 4:34 PM, Yehuda Katz  wrote:

> Since we keep coming back to FreeBSD as it pertains to security:
> 
> 3) FreeBSD is very mature, and very well reviewed.  I've looked into FreeBSD 
> to my personal satisfaction.  OpenBSD may be abrasive as a community at 
> times, but their work product is pretty impressive in terms of being clean 
> and funcitonal.  I was very happy with how they handled that whole IPSec 
> fiasco in 2011.  I've been following pfSense for a while now, and I've used 
> it off and on for years.  I'm very satisfied by the quality and oversight of 
> the coding.   But by all means dig as long as your curiosity holds out.  you 
> can never be "100% sure" of the security of any software, but "sufficiently 
> sure" is absolutely worth looking into.  
> 
> FreeBSD is not the distribution in the BSD family that is best known for 
> security. Indeed OpenBSD has a specific focus on security (which has been 
> studied, as has the relationship between the BSDs), but FreeBSD focuses on 
> being more inclusive of a variety of hardware at a cost of not being 100% 
> open source.
> That is a tradeoff, but it does not mean that FreeBSD is not secure, it just 
> means ... well I have not found a study about that yet.

Go ahead and believe the marketing/hype (“best known”) about OpenBSD if you 
like.

the simple fact is, if security issues are found in any of the BSDs, the fixes 
for them quickly propagate between all of them.

In the end, OpenBSD is no more ‘secure’ than FreeBSD or NetBSD.

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Thinker Rix]

Hi Giles,

On 2013-10-10 16:50, Giles Coochey wrote:

Trying to get this back on-topic, I will change the subject however


Giles, please note that Jim Pingle has already started a new thread for 
this purpose that he named "[pfSense] Crypto/RNG Suggestions" today.
It seems to be beneficial to add your posting to his thread, not to have 
2 concurrent threads - und thus concurrent discussions - about the same 
topic.


Regards
Thinker Rix
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Giles Coochey]

On 10/10/2013 15:04, Chris Bagnall wrote:

What made you change from AES to Blowfish, and is there any evidence to suggest 
that Blowfish is more 'secure' than AES?


My understanding is that AES was championed by an agency which has 
received recent bad-press.;-)


Blowfish was a contender to actually become AES wasn't it?

I agree that I might see better performance with AES as it is supported 
in hardware by many chipsets, and when selected all the contenders 
marked AES as second best (after their own submissions of course...). 
I'm not saying it is insecure, I'm just weary of the following:


1. AES was championed by that agency
2. General comments heard, (a) "When GCHQ heard what that agency had 
done it was 'jaw dropping'", (b) The agency pro-actively steered the 
community towards insecure algorithms.
3. Blowfish only just missed out on AES, didn't it come 2nd or 3rd, or 
was that a related cipher?
4. I'm a complete novice, and I get the impression that most who choose 
a cipher do so either on a whim, or on someone elses say so.


What about CAST128 ??? 2.1 appears to support that. Is there any plan to 
support Twofish? Schneier said in 2007 he'd recommend that over 
Blowfish. Is there any mechanism to insert ciphers into Pfsense that are 
not currently supported?


--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net




smime.p7s
Description: S/MIME Cryptographic Signature
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Eugen Leitl]

On Thu, Oct 10, 2013 at 02:50:41PM +0100, Giles Coochey wrote:

> 1. The random number generator - As pfSense uses FreeBSD this may
> well be a FreeBSD specific question, however, are there any ways
> within pfsense that we can improve the entropy pool that the random
> number gets its randomness from? Has anyone had any experience of
> implementing an external entropy source (e.g.
> http://www.entropykey.co.uk/) in pfsense?

The ALIX has a Geode LX 800 with a hardware RNG, and mini-PCI
slots which be be populated e.g. with a HiFn crypto accelerator
which also has a hardware RNG. I would be interested to know
what happens if you have two or more hardware RNGs in your system
(can you bind these to different /dev/ devices?).

There's also the problematic behaviour of hardware RNG overruling
Yarrow, if present. I'd prefer that all hardware RNGs and other
sources of physical entropy, if available, be mixed in into a 
large-state PRNG, as many hardware RNGs are crappy, and most are
unauditable.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Yehuda Katz]

Since we keep coming back to FreeBSD as it pertains to security:

 3) FreeBSD is very mature, and very well reviewed.  I've looked into
>> FreeBSD to my personal satisfaction.  OpenBSD may be abrasive as a
>> community at times, but their work product is pretty impressive in terms of
>> being clean and funcitonal.  I was very happy with how they handled that
>> whole IPSec fiasco in 2011.  I've been following pfSense for a while now,
>> and I've used it off and on for years.  I'm very satisfied by the quality
>> and oversight of the coding.   But by all means dig as long as your
>> curiosity holds out.  you can never be "100% sure" of the security of any
>> software, but "sufficiently sure" is absolutely worth looking into.
>>
>
FreeBSD is not the distribution in the BSD
familythat is
best known for
security.
Indeed OpenBSD has a specific focus on security
(which
has 
been
studied , as has
the relationship between the
BSDs),
but FreeBSD focuses on being more inclusive of a variety of hardware at a
cost of not being 100% open source.
That is a tradeoff, but it does not mean that FreeBSD is not secure, it
just means ... well I have not found a study about that yet.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Ian Bowers]

On Thu, Oct 10, 2013 at 9:50 AM, Giles Coochey  wrote:

>  Trying to get this back on-topic, I will change the subject however, to
> alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also
> top-posting on purpose as I believe the conversation below has near to no
> relevance to my questions, but simply is an argument as to whether these
> questions should be asked, to which I believe in the affirmative).
>
> I have various questions to offer for discussion  which have been
> bothering me since various security related issues that have appeared in
> the media recently: (see: https://www.schneier.com/crypto-gram-1309.html)
>
> Clearly, at the moment, open source security tools ought to have an
> advantage over closed-source tools. However, peer review of open-source
> code is not always complete, and there have been questions whether even
> algorithms have been subverted.
>
> 1. The random number generator - As pfSense uses FreeBSD this may well be
> a FreeBSD specific question, however, are there any ways within pfsense
> that we can improve the entropy pool that the random number gets its
> randomness from? Has anyone had any experience of implementing an external
> entropy source (e.g. http://www.entropykey.co.uk/) in pfsense?
> 2. Cipher Selection - we're not all cryptoanalysts, so statements like
> 'trust the math' don't always mean much to us, given the reports in the
> media, what is considered a safe cypher? I recently switched from AES-256
> to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group
> 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be
> considered overkill? What Cipher's are others using? Have any of you, who
> have been made recently aware of the media coverage recently, also changed
> your cipher selection? What kind of changes did you make?
> 3. pfSense - In general do you consider pfsense secure?? As we are
> apparently told, asking whether the NSA has inserted or influenced the code
> in any way either in the pfsense code, or the upstream base (FreeBSD) is a
> question that we can't ask, as if it were the case then the NSA would have
> instructed someone in the know, to answer in the no.
>
>
>
>
1)  I don't have the expertise to talk about RNGs in such a way that I feel
confident that my response is something other people should actually listen
to.  The good ones are based on thermal noise or some other sort of "truly"
random source.  but flaws in the software that processes this can make it
less random.  This is a rabbit hole I've chosen not to dive down yet, but
made it a point to be aware of and follow along with as things unfold.  So
I'll defer to others here.

2) Apologies for answering out of order, but it's early and my brain is
working that way.  PFS group 5 is typically a good functional minimum, I
bump it up where appropriate, but I find in the higher PFS group I run into
interop issues when connecting to different vendors.  Most everything
supports groups 1, 2, and 5, but 5 is my minimum unless someone has a good
reason.  Cisco has a reputation for support of legacy protocols and
configurations (which is a double edged sword for sure), and even they are
saying groups 1 and 2 should not be used.  For SA lifetimes I'm ok with
28800 for phase 1, and 3600 for phase 2.  Phase 2 is really where you need
to mix it up frequently.  it's less important with phase 1.  Opinions on
this differ, but if you have PFS in play on phase 2, the lifetime of phase
1 becomes much less important.   But play it how you like it, modern CPUs
have the horsepower to renegotiate frequently.   For encryption ciphers I
rock AES-256 all day every day when I can.  I've done my homework on the
AES development and selection process, and I'm satisfied (for now) with how
open it was and how it was critiqued.   It's also the strongest encryption
cipher that with widespread support, and even on my home network I have
LAN-2-LAN tunnels to multiple vendors' gear.   roll that into how primitive
many remote access clients can be, and AES-256 typically comes out on top
as the best you can get and still have a good chance of your peer
supporting it.   As far as hashing, I'm still rocking SHA-1 for now because
I see abuse of the hashing algorithm for a functional attack as something
that would only realistically be used in a real-time man in the middle type
attack.  A lot of other cards have to have fallen down for this to become a
problem.  I'm under that kind of attack, I've got bigger problems.  That
being said, I can't think of a good reason NOT to bump up hashing either.
 so play it as you like it.

3) FreeBSD is very mature, and very well reviewed.  I've looked into
FreeBSD to my personal satisfaction.  OpenBSD may be abrasive as a
community at times, but their work product is pretty impressive in terms of
being clean and funcitonal.  I was very happy with how they handled that
whole IPSec fiasco in 2011.  I've been following pfSense for a while now,
and I've

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Chris Bagnall]

I've deliberately stayed out of the political discussion, but interested in 
this more technical discussion…

On 10 Oct 2013, at 14:50, Giles Coochey  wrote:
> 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust 
> the math' don't always mean much to us, given the reports in the media, what 
> is considered a safe cypher? I recently switched from AES-256 to 
> Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, 
> and I reduced my SA lifetimes from 28800 to 1800. Could that be considered 
> overkill?

I believe there were discussions about 18 months ago to the effect that a 
weakness (cryptanalysis rather than brute force) had been discovered in SHA1, 
so going up to SHA512 can't be a bad thing.

You might want to look at RIPEMD160 (and derivatives) as well - very different 
development model from SHA derivatives, which you may or may not find more 
comforting.

What made you change from AES to Blowfish, and is there any evidence to suggest 
that Blowfish is more 'secure' than AES?

It's worth mentioning here that AES acceleration is well supported in hardware 
(even low-power platforms like the ALIX embedded boards have AES acceleration), 
whereas Blowfish will likely be done entirely in software.

> 3. pfSense - In general do you consider pfsense secure??

pfSense is, essentially, a very well put together collection of other packages. 
The question isn't so much whether pfSense itself is 'secure', but whether 
those other packages which make up the security portions of pfSense (pf, 
OpenVPN, even FreeBSD itself) are themselves secure. Those are probably 
questions better aimed at the developers of those packages.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Giles Coochey]

Trying to get this back on-topic, I will change the subject however, to 
alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also 
top-posting on purpose as I believe the conversation below has near to 
no relevance to my questions, but simply is an argument as to whether 
these questions should be asked, to which I believe in the affirmative).


I have various questions to offer for discussion  which have been 
bothering me since various security related issues that have appeared in 
the media recently: (see: https://www.schneier.com/crypto-gram-1309.html)


Clearly, at the moment, open source security tools ought to have an 
advantage over closed-source tools. However, peer review of open-source 
code is not always complete, and there have been questions whether even 
algorithms have been subverted.


1. The random number generator - As pfSense uses FreeBSD this may well 
be a FreeBSD specific question, however, are there any ways within 
pfsense that we can improve the entropy pool that the random number gets 
its randomness from? Has anyone had any experience of implementing an 
external entropy source (e.g. http://www.entropykey.co.uk/) in pfsense?
2. Cipher Selection - we're not all cryptoanalysts, so statements like 
'trust the math' don't always mean much to us, given the reports in the 
media, what is considered a safe cypher? I recently switched from 
AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 
to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. Could 
that be considered overkill? What Cipher's are others using? Have any of 
you, who have been made recently aware of the media coverage recently, 
also changed your cipher selection? What kind of changes did you make?
3. pfSense - In general do you consider pfsense secure?? As we are 
apparently told, asking whether the NSA has inserted or influenced the 
code in any way either in the pfsense code, or the upstream base 
(FreeBSD) is a question that we can't ask, as if it were the case then 
the NSA would have instructed someone in the know, to answer in the no.



On 10/10/2013 12:33, Rüdiger G. Biernat wrote:

This discussion about security/NSA/encryption IS important. Please go on.


Von Samsung Mobile gesendet


 Ursprüngliche Nachricht 
Von: Giles Coochey
Datum:10.10.2013 11:39 (GMT+01:00)
An: list@lists.pfsense.org
Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" 
NSA or others?


On 10/10/2013 09:38, Thinker Rix wrote:
> On 2013-10-10 01:13, Przemys?aw Pawe?czyk wrote:
>> On Thu, 10 Oct 2013 00:05:22 +0300
>> Thinker Rix  wrote:
>>
>>> Well, actually I started this thread with a pretty frank,
>>> straight-forward and very simple question.
>> That's right and they were justified.
>
> Thank you!
>
>> BTW, you pushed to the corner the (un)famous American hubris (Obama: US
>> is exceptional.), that's the nasty answers from some.
>
> Yes, I guess I have hit a whole bunch of different nerves with my
> question, and I find it to be highly interesting to observe some of
> the awkward reactions, socioscientificly and psychologically.
>
> I have been insulted, I have been bullied, I have been called to
> self-censor myself and at the end some users "virtually joined" to
> give the illusion of a majority an muzzle me, stating, that my
> question has no place at this pfSense mailing list. Really amazing,
> partly hilarious reactions, I think.
> These reactions say so much about how far the whole surveillance and
> mind-suppression has proceeded already and how much it has influenced
> the thoughts and behavior of formerly free people by now. Frightening.
>
>> Thinker Rix, you are not alone at your unease pressing you to ask
>> those questions about pfSense and NSA.
>
> Thank you for showing your support openly!

I too was surprised to see some activity on the pfsense list, after
seeing only a few posts per week I checked today to find several dozen
messages talking about a topic I have been concerned with myself - as a
network security specialist, how much can I trust the firewalls I use,
be they embedded devices, software packages, or 'hardware' from
manufacturers.
There are many on-topic things to discuss here:
1. Which Ciphers & Transforms should we now consider secure (pfsense
provides quite a few cipher choices over some other off the shelf 
hardware.

2. What hardware / software & configuration changes can we consider to
improve RNG and ensure that should we increase the bit size of our
encryption, reduce lifetimes of our SAs that we can still ensure we have
enough entropy in the RNG on a device that is typically starved of
traditional entropy sources.

This is so much on-topic, I am surprised that there has been a movement
to call this thread to stop, granted - it may seem that the conversation
may drift into a political one, with regard to privacy law etc...
however, that is a valid sub-topic for a discussion list that addresses
devices that are designed and