5:11 p.m.
Hi All,
I need some technical explanation about VPN in F18.
(F18, KDE environment)
Please tell me, what happens if I import a PCF file on the Network Manager
UI?
My PCF file refers to a Cisco VPN using group password.
- Is the group password accessible during the import (of course it is
otherwise it's useless...)
- How it is decrpyted?
- Which programs are involved? (Is any of them so called unsafe?)
- Where're the passwords stored? (Probably in KWallet)
- Are the VPN passwords "clear-text" accessible somewhere?
I need to prove that using this PCF file is secure on F18 too. The PCF file
is originating from Windows environment. The publishing company uses
official Cisco client.
I know that there are tons of sites and apps to decrypt the password, but I
need to prove that the basic Fedora installation is secure.
Do you need more information? Please ask me!
Thanks in advance,
*Peter SOLYOM-NAGY*
8:52 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote:
Please tell me, what happens if I import a PCF file on the Network
Manager
UI?
I'm not sure we have any specific data on NetworkManager, here. It would be best to
contact the developer and discuss your concerns with them. That said, I'll try to
address some of your concerns below.
My PCF file refers to a Cisco VPN using group password.
- Is the group password accessible during the import (of course it is
otherwise it's useless...)
Yes, it would need to be accessible to the software in order for the circuit to be
established.
- How it is decrpyted?
The password (any password) isn't encrypted but rather obsfucated. I don't know
exactly what the protocol is but it would be whatever Cisco designed.
- Which programs are involved? (Is any of them so called unsafe?)
I believe NetworkManager has a plugin that it uses for VPN connectivity. I'm not
aware of it being "unsafe" but I guess that depends on your definition of
"unsafe".
- Where're the passwords stored? (Probably in KWallet)
I'm not sure as they can be stored in several locations depending on how your system
is setup. I believe KWallet is default in KDE but that isn't necessarily where the
information will be stored. You could create a dummy account in your VPN software and go
in search of the credentials in KWallet and see if they are there.
- Are the VPN passwords "clear-text" accessible somewhere?
That would depend on how the password is stored (see above).
I need to prove that using this PCF file is secure on F18 too. The PCF file
is originating from Windows environment. The publishing company uses
official Cisco client.
Well, you can't prove a negative. Is it safer than using the "official"
Cisco client? Probably. It would appear that the official software doesn't have a
perfect track record when it comes to security:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+vpn+client.
I know that there are tons of sites and apps to decrypt the password, but I
need to prove that the basic Fedora installation is secure.
Secure against what? Yes, Cisco didn't do a great job securing their "group
password" as, like you say, there are many websites out there that can decrypt it for
you. The Fedora software must do the same thing, just as the Cisco software does, to
build the VPN circuit. Again, you won't be able to prove that an installation is
secure but you can look to see if it is secure against listed attacks or whatnot.
Is the NetworkManager implementation of the Cisco VPN client as secure as the Cisco VPN
client? Probably. Is it more secure than the Cisco VPN client? Probably. You can look
at all the code used in Fedora's implementation of the VPN client but you can't do
that for Cisco's client so you don't know what might be hiding in their code.
Hope that helps.
- --Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQGcBAEBCgAGBQJReTT9AAoJEB/kgVGp2CYv6bEMAJHZXFxk0L5n7f7tEiJttjoM
Rt9RKq1hzBQmvDZ5TTZXqlCgE75HKRkgILp2COtoKlgRDUpTUMcjDzLmwsdmc1GI
EOlxyH4ZbsgFYcCRSLHHLFIN/31e4zOOlL6Y6jpCnQnEgbXo0AXWmzblPclSVvLg
ZlBv3Y93uF3+NWVXgxLV/MOBc0UUSEHl90ujTmsRvH8zZFf5Y07hQ6bFT0ANu5m1
ARzDDUEdFCGkbPL47oEFGGBYimLO1oez0EqSUC+8jP9svEfRU3Wh43XBSjBContB
CaBbfYOirrCZdzDhE8MYp+/sNpuwaeJXHXlStOI5nnGmxvn/9kOGxfS/Pu4E82ss
/NFRtaMmnXZEiNm5qTWugERZwVeniHpn3ZrcU0zMs8/RR55h0VOTK9t+CKOnYqGy
XK2t7JDIgwJ6kIweYGtGwCoz/UZWRGRfod+yBbjZn1cBeHfY3j5H8jEgdq+5lnD6
EZO+gw1jWUh8a4Y2rmrnIKJjAz41uM/3dyG2Mb3AFQ==
=y9v9
-----END PGP SIGNATURE-----
10:02 a.m.
Hi Eric,
Thank you for your reply. That was really informative!
Peter
On Thu, Apr 25, 2013 at 3:52 PM, Eric H. Christensen <
sparks(a)fedoraproject.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote:
> Please tell me, what happens if I import a PCF file on the Network
Manager
> UI?
I'm not sure we have any specific data on NetworkManager, here. It would
be best to contact the developer and discuss your concerns with them. That
said, I'll try to address some of your concerns below.
> My PCF file refers to a Cisco VPN using group password.
> - Is the group password accessible during the import (of course it is
> otherwise it's useless...)
Yes, it would need to be accessible to the software in order for the
circuit to be established.
> - How it is decrpyted?
The password (any password) isn't encrypted but rather obsfucated. I
don't know exactly what the protocol is but it would be whatever Cisco
designed.
> - Which programs are involved? (Is any of them so called unsafe?)
I believe NetworkManager has a plugin that it uses for VPN connectivity.
I'm not aware of it being "unsafe" but I guess that depends on your
definition of "unsafe".
> - Where're the passwords stored? (Probably in KWallet)
I'm not sure as they can be stored in several locations depending on how
your system is setup. I believe KWallet is default in KDE but that isn't
necessarily where the information will be stored. You could create a dummy
account in your VPN software and go in search of the credentials in KWallet
and see if they are there.
> - Are the VPN passwords "clear-text" accessible somewhere?
That would depend on how the password is stored (see above).
>
> I need to prove that using this PCF file is secure on F18 too. The PCF
file
> is originating from Windows environment. The publishing company uses
> official Cisco client.
Well, you can't prove a negative. Is it safer than using the "official"
Cisco client? Probably. It would appear that the official software
doesn't have a perfect track record when it comes to security:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+vpn+client.
>
> I know that there are tons of sites and apps to decrypt the password,
but I
> need to prove that the basic Fedora installation is secure.
Secure against what? Yes, Cisco didn't do a great job securing their
"group password" as, like you say, there are many websites out there that
can decrypt it for you. The Fedora software must do the same thing, just
as the Cisco software does, to build the VPN circuit. Again, you won't be
able to prove that an installation is secure but you can look to see if it
is secure against listed attacks or whatnot.
Is the NetworkManager implementation of the Cisco VPN client as secure as
the Cisco VPN client? Probably. Is it more secure than the Cisco VPN
client? Probably. You can look at all the code used in Fedora's
implementation of the VPN client but you can't do that for Cisco's client
so you don't know what might be hiding in their code.
Hope that helps.
- --Eric
--
*Sólyom-Nagy Péter*
snagypeter(a)gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQGcBAEBCgAGBQJReTT9AAoJEB/kgVGp2CYv6bEMAJHZXFxk0L5n7f7tEiJttjoM
Rt9RKq1hzBQmvDZ5TTZXqlCgE75HKRkgILp2COtoKlgRDUpTUMcjDzLmwsdmc1GI
EOlxyH4ZbsgFYcCRSLHHLFIN/31e4zOOlL6Y6jpCnQnEgbXo0AXWmzblPclSVvLg
ZlBv3Y93uF3+NWVXgxLV/MOBc0UUSEHl90ujTmsRvH8zZFf5Y07hQ6bFT0ANu5m1
ARzDDUEdFCGkbPL47oEFGGBYimLO1oez0EqSUC+8jP9svEfRU3Wh43XBSjBContB
CaBbfYOirrCZdzDhE8MYp+/sNpuwaeJXHXlStOI5nnGmxvn/9kOGxfS/Pu4E82ss
/NFRtaMmnXZEiNm5qTWugERZwVeniHpn3ZrcU0zMs8/RR55h0VOTK9t+CKOnYqGy
XK2t7JDIgwJ6kIweYGtGwCoz/UZWRGRfod+yBbjZn1cBeHfY3j5H8jEgdq+5lnD6
EZO+gw1jWUh8a4Y2rmrnIKJjAz41uM/3dyG2Mb3AFQ==
=y9v9
-----END PGP SIGNATURE-----
4017
days inactive
4018
days old
security@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Eric Christensen -
Péter Sólyom-Nagy