From: Michael Rash <mbr@ci...> - 2013-07-20 01:59:43
fwknop-2.5 has been released:
The tutorial has been updated to reflect fwknop-2.5 changes:
This release now includes support for HMAC authenticated encryption, with
SHA-256 being the default digest algorithm though others such as SHA-512
are supported as well. The HMAC mode can be applied to SPA packets that
have been encrypted with either Rijndael or GnuPG, and the order of
operation is always encrypt-then-authenticate which is considered to be
the most secure option among all possible orders. Not only does using
the new HMAC mode provide a cryptographically strong authentication step
for SPA communications, it also affords a significant security benefit
because maliciously constructed SPA packets can be discarded before they
are even sent through decryption routines. I.e. HMAC verification is a
much more simplisitic operation than decryption, and therefore generally
less prone to programming bugs and potential security vulnerabilties.
There are many other enhancements in fwknop-2.5 as well such as usage of
the Coverity static analyzer, a new ~/.fwknoprc stanza saving feature
for fwknop client usage simplification, support for automatic
Rijndael+HMAC key generation with the --key-gen option, many test suite
improvements, an updated tutorial, and more. There is a robust roadmap
for fwknop, and new releases will come faster now that a solid
foundation is made upon HMAC authenticated encryption for SPA packets.
I wish to thank all who contributed to this effort - particularly Damien
Stuart, Franck Joncourt, Blair Zajac, Michael T. Dean, and Ryman.
Additional contributors are listed in the git history.
***** IMPORTANT *****: If you are upgrading from an older version of
fwknop, you will want to read the "Backwards Compatibility" section of
the fwknop tutorial available here:
In summary, it is possible to have a mixed environment of fwknop-2.5
clients and/or servers with older client and/or servers, but this
requires some configuration in order to work properly. On the server
side, the directive "ENCRYPTION_MODE legacy" will need to be added to
every access.conf stanza that uses Rijndael and that needs to support
SPA packets from pre-2.5 clients. On the client side when generating
Rijndael-encrypted SPA packets from a pre-2.5 server, the command line
argument "-M legacy" will need to be given. GnuPG operations are not
affected however and don't require the above steps whenever the new HMAC
authenticated encryption feature (offered in fwknop-2.5) is not used.
Here is the complete ChangeLog:
Please let me know if there are any issues.
Get latest updates about Open Source Projects, Conferences and News.