Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

(Marek Wrzosek) Update docs to reflect random 'digits' use instead of…

… 'bytes'

Suggested doc update to fwknop man pages to accurately describe the usage
of digits instead of bytes for SPA random data.  About 53 bits of entropy
are actually used, although this is in addition to the 64-bit random salt
in for key derivation used by PBKDF1 in Rjindael CBC mode.
  • Loading branch information...
commit 551b243007d8e481e284a9d90ab9372fefc09b87 1 parent 6add06f
Michael Rash authored
Showing with 21 additions and 12 deletions.
  1. +8 −0 CREDITS
  2. +5 −5 client/fwknop.8.in
  3. +8 −7 doc/fwknop.man.asciidoc
8 CREDITS
View
@@ -160,3 +160,11 @@ Les Aker
pcap_dispatch() packet count of zero when using libpcap-1.5.1. This
issue was tracked on github as issue #110, and the default packet count
is now set at 100 as a result.
+
+Marek Wrzosek
+ - Suggested doc update to fwknop man pages to accurately describe the usage
+ of digits instead of bytes for SPA random data. About 53 bits of entropy
+ are actually used, although this is in addition to the 64-bit random salt
+ in for key derivation used by PBKDF1 in Rjindael CBC mode.
+ - Various excellent feedback on crypto design, including the need to remove
+ the GPG_IGNORE_SIG_VERIFY_ERROR mode.
10 client/fwknop.8.in
View
@@ -1,13 +1,13 @@
'\" t
.\" Title: fwknop
.\" Author: [see the "AUTHORS" section]
-.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
-.\" Date: 08/08/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 01/02/2014
.\" Manual: Fwknop Client
.\" Source: Fwknop Client
.\" Language: English
.\"
-.TH "FWKNOP" "8" "08/08/2013" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "01/02/2014" "Fwknop Client" "Fwknop Client"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -48,7 +48,7 @@ SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption
.RS 4
.\}
.nf
- random data (16 bytes)
+ random data (16 digits)
username
timestamp
software version
@@ -61,7 +61,7 @@ SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption
.RE
.\}
.sp
-Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain ":" characters are base64 encoded\&. The message digest (\fBSHA256\fR by default) is part of the data to be encrypted and is independent of the HMAC which is appended to the SPA packet data after encryption\&. The 16 bytes of random data ensures that no two SPA packets are identical, and this is in addition to and independent of using PBKDF1 for key derivation for Rijndael in CBC mode\&. Because \fBfwknopd\fR tracks the SHA256 digest of all incoming valid SPA packets and throws out duplicates, replay attacks are not feasible against \fBfwknop\fR\&. Syslog alerts are generated if a replay is detected\&.
+Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain ":" characters are base64 encoded\&. The message digest (\fBSHA256\fR by default) is part of the data to be encrypted and is independent of the HMAC which is appended to the SPA packet data after encryption\&. The 16 digits of random data (about 53 bits) ensures that no two SPA packets are identical, and this is in addition to and independent of using PBKDF1 for key derivation for Rijndael in CBC mode (which uses an 8\-byte random "salt" value)\&. Because \fBfwknopd\fR tracks the SHA256 digest of all incoming valid SPA packets and throws out duplicates, replay attacks are not feasible against \fBfwknop\fR\&. Syslog alerts are generated if a replay is detected\&.
.sp
By default, the \fBfwknop\fR client sends authorization packets over UDP port 62201, but this can be altered with the \fB\-\-server\-port\fR argument (this requires \fBfwknopd\fR to be configured to acquire SPA data over the selected port)\&. Also, \fBfwknop\fR can send the SPA packet over a random port via the \fB\-\-rand\-port\fR argument\&. See \fIfwknopd(8)\fR for further details\&. See the \fBEXAMPLES\fR section for example invocations of the \fBfwknop\fR client\&.
.sp
15 doc/fwknop.man.asciidoc
View
@@ -76,7 +76,7 @@ packets generated by fwknop running as a client adhere to the following
format (before encryption and the HMAC is applied):
..........................
- random data (16 bytes)
+ random data (16 digits)
username
timestamp
software version
@@ -90,12 +90,13 @@ Each of the above fields are separated by a ":" character due to the variable
length of several of the fields, and those that might contain ":" characters
are base64 encoded. The message digest (*SHA256* by default) is part of the
data to be encrypted and is independent of the HMAC which is appended to the
-SPA packet data after encryption. The 16 bytes of random data ensures that no
-two SPA packets are identical, and this is in addition to and independent of
-using PBKDF1 for key derivation for Rijndael in CBC mode. Because *fwknopd*
-tracks the SHA256 digest of all incoming valid SPA packets and throws out
-duplicates, replay attacks are not feasible against *fwknop*. Syslog
-alerts are generated if a replay is detected.
+SPA packet data after encryption. The 16 digits of random data (about 53 bits)
+ensures that no two SPA packets are identical, and this is in addition to and
+independent of using PBKDF1 for key derivation for Rijndael in CBC mode (which
+uses an 8-byte random "salt" value). Because *fwknopd* tracks the SHA256
+digest of all incoming valid SPA packets and throws out duplicates, replay
+attacks are not feasible against *fwknop*. Syslog alerts are generated if a
+replay is detected.
By default, the *fwknop* client sends authorization packets over UDP port
62201, but this can be altered with the *--server-port* argument (this requires
Please sign in to comment.
Something went wrong with that request. Please try again.