13

While reading the manual of OpenVPN 2.3, I came across the --auth alg option. The manual says:

Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.

From what I understand, HMAC is just a preferred way of making a MAC from a hash function, while potentially avoiding the length-extension properties of some hash functions.

So the algorithm specified in the --auth option should be a hash function.

Now if I do openvpn --show-digests to know what algorithms I can use with the --auth option I got also entries like:

RSA-SHA, DSA-SHA, ECDSA-WITH-SHA1... etc.

These are the digital signature algorithms, why they are supposed to be used in the HMAC? To get sort of "double authentication"? Isn't it a bit of an overkill?

Or does it mean in this case the HMAC is actually replaced by digital signature to achive authentication? If this is the case, what is better to use in terms of security?

NumberFour
  • 195
  • 1
  • 8
  • 2
    I've had the same question. Every reasonable reference I've ever seen, and my own judgement, lead me to use --auth SHA512 or --auth SHA256. See [https://blog.g3rt.nl/openvpn-security-tips.html](https://blog.g3rt.nl/openvpn-security-tips.html) and [https://oli.new-lan.de/2015/02/openvpn-crypto-tuning-tls-auth-tls-cipher-tls-version-min-dh-verify-x509-name-cipher-auth-remote-cert-tls/](https://oli.new-lan.de/2015/02/openvpn-crypto-tuning-tls-auth-tls-cipher-tls-version-min-dh-verify-x509-name-cipher-auth-remote-cert-tls/) for examples. – Anti-weakpasswords Jun 21 '15 at 18:11
  • Maybe you should offer a bounty on this. I can only bump it using comments (if I ever want to reach 1K). – Maarten Bodewes Jul 02 '15 at 13:32

1 Answers1

16

Looking at OpenVPN's source code, this appears to be a cosmetic quirk of OpenSSL.

When using --show-digests, OpenVPN calls OpenSSL's EVP_get_digestbynid() with, as parameter, all integers from 0 to 999. For some of these values, EVP_get_digestbynid() returns a non-NULL pointer that identifies the corresponding hash function implementation, and then OpenVPN prints out the corresponding name.

It so happens that with ID = 64, you get a structure that implements SHA-1, and the name corresponding to the ID value 64 is "SHA1". However, with ID = 65, you get the exact same structure (same pointer in RAM), i.e. the very same implementation of SHA-1. But the name corresponding to the ID value 65 is "RSA-SHA1".

When you use --auth, the same applies: OpenVPN uses the EVP_get_digestbyname() on the provided string. With "SHA1", you get a pointer to the structure that implements SHA-1. With "RSA-SHA1", you again get the exact same pointer value.

In other words, you see some "alternate names" with some RSA or ECDSA but that's just a consequence of how OpenSSL names things, and if you use these names you just obtain the underlying hash function (to be used in HMAC) and nothing more. Thus, --auth SHA1 and --auth RSA-SHA1 are completely equivalent.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949