[Vpn-help] Security considerations with storing PSK and/or connections
Besim Karadeniz
besim at netplanet.org
Mon Nov 30 05:38:46 CST 2009
Hello,
I'm evaluating the VPN Client (2.1.5-rc5) and stumble upon a first-class
security weakness. I have configured a IPSec connection with mutual-psk
and found this PSK _plain_ in the registry. This stands diametral
against any policy to protect a password and this makes our loveable
baby nearly unusuable for enterprise use. Storing sensible passwords in
plaintext on files or in the registry should be a no-no.
I would like to chip in some suggestions for this behaviour:
- A possibility to password-protect a deposited configuration and using
this passwort to oneway-encrypt this configuration. This would kill to
birds with one stone: Protecting the configuration/credentials and
implementing a authentication mechanism. (It is supposable to extend
this protection to two levels - one level for using a deposited
connection and one higher level to administer it. This would be the
"real" thing.)
- Switch to store certificates and/or files with a PSK on a selectable
directory/drive (e.g. on a usb stick or an encrypted directory).
- Saying goodbye to the way to save the configuration of a connection
into the registry against saving real configuration files which can
bonded with a file extension to a installed client. (a PSK should be
oneway-encrypted in this way too)
Regards,
Besim
--
Besim at Karadeniz dot de > Pforzheim/GER >> http://blog.netplanet.org/
netplanet - Verstehen Sie mal das Internet! - http://www.netplanet.org/
"Die Fachleute sind immer böse, wenn einem Laien etwas einfällt, was
ihnen nicht eingefallen ist."
-- John Steinbeck (1902-1968)), amerik. Schriftsteller
More information about the vpn-help
mailing list