OpenVPN 2.4 security differences between tls-crypt and tls-auth
I was reading and tls-crypt and was curious would that increase security and reduce the chance of keys being compromised during handshakes and that it offers better security over tls-auth?
Maybe someone could better explain tls-auth and tls-crypt and how they improve security?
my current client file:
client
tls-client
dev tun
proto udp
remote 1.2.3.4 9999
<ca>
</ca>
<cert>
</cert>
<key>
</key>
pull
auth-nocache
cipher AES-256-CBC
keysize 256
compress lz4-v2
reneg-sec 36000
keepalive 30 120
Solution 1:
TLS Handshake can be more or less broken down into following steps:
- Clients sends "client hello" to server, along with client's random value and supported cipher suite.
- Server responds "server hello" to client, along with server's random value and chosen ciper suite.
- Server sends its certificate to client for authentication.
- Client verifies server identity.
- Client creates a random pre-master secret and encrypts it with the public key from the server's certificate.
- Client sends the encrypted pre-master secret to server.
- Server MAY request certificate from client if required.
- Both server and client generate the session key based on the pre-master secret.
- The server and client can now exchange encrypted messages using the session key.
The difference between tls-auth and tls-crypt is that starting from step 1, tls-crypt will encrypt all messages with a pre-shared key.
This provides several benefits:
- It hides the initialization of a TLS handshake with a OpenVPN server. This is helpful in some situations when OpenVPN protocol signature is detected and blocked.
- It prevents TLS denial of service attacks. With tls-auth the attacker can open thousands of TLS connections simultaneously but not provide a valid certificate, jamming the available ports. With tls-crypt the server would reject the connection up-front at step 1.
- Data is encrypted twice, once by tls-crypt and once by the TLS session.