[Vpn-help] Security considerations with storing PSK and/or connections

Besim Karadeniz besim at netplanet.org
Mon Nov 30 05:38:46 CST 2009


Hello,

I'm evaluating the VPN Client (2.1.5-rc5) and stumble upon a first-class 
security weakness. I have configured a IPSec connection with mutual-psk 
and found this PSK _plain_ in the registry. This stands diametral 
against any policy to protect a password and this makes our loveable 
baby nearly unusuable for enterprise use. Storing sensible passwords in 
plaintext on files or in the registry should be a no-no.

I would like to chip in some suggestions for this behaviour:

- A possibility to password-protect a deposited configuration and using
   this passwort to oneway-encrypt this configuration. This would kill to
   birds with one stone: Protecting the configuration/credentials and
   implementing a authentication mechanism. (It is supposable to extend
   this protection to two levels - one level for using a deposited
   connection and one higher level to administer it. This would be the
   "real" thing.)

- Switch to store certificates and/or files with a PSK on a selectable
   directory/drive (e.g. on a usb stick or an encrypted directory).

- Saying goodbye to the way to save the configuration of a connection
   into the registry against saving real configuration files which can
   bonded with a file extension to a installed client. (a PSK should be
   oneway-encrypted in this way too)

Regards,
Besim

-- 
Besim at Karadeniz dot de > Pforzheim/GER >> http://blog.netplanet.org/
netplanet - Verstehen Sie mal das Internet! - http://www.netplanet.org/
"Die Fachleute sind immer böse, wenn einem Laien etwas einfällt, was 
ihnen nicht eingefallen ist."
  -- John Steinbeck (1902-1968)), amerik. Schriftsteller



More information about the vpn-help mailing list