Protocols and Algorithms

Each CEQURUX Technologies Firewall or VPN Gateway has its own RSA private key (1024 to 4096 bits) and the RSA public keys of the other VPN gateway or firewalls. Generation of an RSA private key, if one does not already exist, is performed automatically during the configuration process. The random number generator used to generate the key follows guidelines given in RFC 1750, `Randomness Recommendations for Security'.

A secure tunnel is created between two firewalls or VPN gateways using the Station-to-Station protocol. This protocol works in the following way (assume the machines are called vpn1.cequrux.com and vpn2.cequrux.com)

• 2048 bit Diffie-Hellman is used to exchange random session keys;
• vpn1.cequrux.com concatenates its Diffie-Hellman public key with vpn2.cequrux.com's Diffie-Hellman public key, and produces an MD2 hash of the concatenated keys. This it signs with its RSA private key, and sends the signed message to vpn2;
• vpn2 uses vpn1's RSA public key to decrypt the signed message, and compares the result to the MD2 hash of the concatenation of the two Diffie-Hellman public keys. If the two match, vpn1 has proven to vpn2 that it really is who it claims to be, since it has demonstrated that it possesses the RSA private key for vpn1;
• The exchange now occurs in the opposite direction, so that vpn2 proves to vpn1 that it posseses the RSA private key for vpn2 and thus definitively establishes its identity.

This protocol avoids the active man-in-the-middle attack against Diffie-Hellman. The CEQURUX Firewall's RSA implementation uses PKCS standards (random padding, PKCS block types, ASN.1 encoding, etc.) as well as a quantised execution environment to protect against known attacks on RSA implementations (including low encryption exponent attacks, and timing attacks). The MD2 message digest algorithm is used as an added security, since MD5 is known to have collisions, where two different plaintexts produce the same hash.

Once the session keys have been established, and the respondents in the exchange have authenticated themselves to each other, any traffic flowing between the two virtual networks is compressed, encrypted using a predefined cipher, and tunnelled to the remote gateway. In addition, links are forcibly rekeyed at regular intervals, ensuring that the session keys are changed periodically.

Block ciphers operate in CBC mode (Cipher Block Chaining), which ensures that identical plaintext traffic, given the same key schedule for the block algorithm, will encrypt to different ciphertext every time. The available block ciphers are: IDEA, Blowfish, DES, 3DES, SAFER SK128, GOST, RC2, and RC5.

The CEQURUX firewall also allows the use of two stream ciphers, RC4 and SEAL. These ciphers are the fastest known encryption algorithms, with SEAL reaching an in-memory throughput of 80 MBits per second on a 166MHz Intel Pentium. Some cipher options may be unavailable for use depending on the country in which the software is acquired.