diploma project zcov - a zero-con g solution for...

Download DIPLOMA PROJECT ZCOV - A Zero-con g Solution for razvan/projects/diploma/licenta-zcov-andreea-lucau.pdfUniversity

Post on 31-Aug-2019

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • University Politehnica of Bucharest

    Faculty of Automatic Control and Computer Science,

    Computer Science Department

    DIPLOMA PROJECT

    ZCOV - A Zero-cong Solution forOpenVPN

    Scientic Adviser: Author:

    As. Drd. Ing. Rzvan Deaconescu Andreea Diana Lucu

    Bucharest, 2009

  • Acknoledgements

    I would like to thank my supervisor, Rzvan Deaconescu, for all the support he has given methroughout the year. Not only was his advice invaluable, but his enthusiasm and genuine

    interest in this project was admirable and motivating.

    I would also like to thank my project collegue, Oana Comnici.

    Motto

    "You should want the highest form of technology and security for your privacy information,and frankly, we don't have that today." (Richard A. Clarke, former chief counter-terrorism

    adviser on the U.S. National Security Council)

  • Abstract

    Ever since data exchange across computers situated in dierent location became possible, theneed of privacy and security arose. People situated in dierent areas of the globe want tosimulate that they are actually in the same LAN - this insured that no one from the exteriorcould see the data being exchanged. The result: VPNs. This paper will present a project thataims to oer a safe and simple way of creating and managing virtual private networks.

    ii

  • Contents

    Acknowledgements i

    Abstract ii

    1 Introduction 11.1 The Context and the Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    2 VPNs in a Nutshell 32.1 Broadband Internet Access and VPNs . . . . . . . . . . . . . . . . . . . . . . . . 32.2 VPN Concepts - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    2.2.1 Tunneling and Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    2.3.1 A Proposed Standard for Tunneling . . . . . . . . . . . . . . . . . . . . . 52.3.2 Tunneling Protocols Implemented in OSI Layer 2 . . . . . . . . . . . . . . 52.3.3 Tunneling Protocols Implemented in OSI Layer 3 . . . . . . . . . . . . . . 62.3.4 Tunneling Protocols Implemented in OSI Layer 4 . . . . . . . . . . . . . . 7

    3 VPN Security 83.1 Privacy - Trac Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    3.1.1 Symmetric Encryption and Pre-Shared Keys . . . . . . . . . . . . . . . . 83.1.2 Asymmetric Encryption with SSL/TLS . . . . . . . . . . . . . . . . . . . 9

    3.2 SSL/TLS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2.1 SSL/TLS Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2.2 Trusted Certicates and Self-signed Certicates . . . . . . . . . . . . . . . 93.2.3 SSL/TSL and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

    4 ZCOV - VPN Manager 114.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.2 Specications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    4.2.1 The Security Component . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2.2 Persistency and Presence . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2.3 Network Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.2.4 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    5 OpenVPN - a Simple Tunneling Solution 145.1 Networking with OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145.2 OpenVpn Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155.3 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.4 Advantages of OpenVpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.5 OpenVpn Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    iii

  • CONTENTS iv

    6 ZCOV - Implementation Details 196.1 User Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    6.1.1 Available commands and usage . . . . . . . . . . . . . . . . . . . . . . . . 196.1.2 GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    6.2 The Architecture of the Application . . . . . . . . . . . . . . . . . . . . . . . . . 206.2.1 Data structures and meaning . . . . . . . . . . . . . . . . . . . . . . . . . 206.2.2 ZCOV Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246.2.3 Interactions with the database . . . . . . . . . . . . . . . . . . . . . . . . 256.2.4 ZCOV Hooks in the OpenVPN Code . . . . . . . . . . . . . . . . . . . . . 266.2.5 ZCOV Error Handling and Debugging . . . . . . . . . . . . . . . . . . . . 28

    6.3 Development and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.4 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

    7 ZCOV - the Protocol 337.1 Policies and Security Considerationa . . . . . . . . . . . . . . . . . . . . . . . . . 337.2 Protocol API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    7.2.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347.2.2 The Workow for a ZCOV Message . . . . . . . . . . . . . . . . . . . . . 34

    7.3 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357.3.1 Create/Delete network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357.3.2 Join/Leave Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367.3.3 Go-online/Go-oine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387.3.4 Kick/Ban Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397.3.5 Get/Set Nick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397.3.6 Querying Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407.3.7 Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    7.4 Initialization Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    8 Conclusion and Further improvements 438.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438.2 Further improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

  • List of Figures

    2.1 VPN - Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 VPN - Tunnel Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    4.1 ZCOV - Manage Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2 ZCOV Persistency and Presence . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    5.1 OpenVpn Message Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

    6.1 ZCOV Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.2 Extended Client Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.3 Extended Server Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.4 ZCOV Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246.5 ZCOV Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266.6 Building Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316.7 Testing Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

    7.1 ZCOV Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357.2 Client Initialization Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    v

  • Notations and Abbreviations

    CA Certicare AuthorityCLI Command Line InterfaceCRL Certicate Revocation ListHMAC Hash Message Authentication CodeIEC International Electronical CommisionISO International Organization for StandardizationLAN local area networkLZO Lempel-Ziv-OberhumerOSI Open Systems InterconnectionPDUs Protocol Data UnitsPKI Public Key InfrastructureUML Unied Modeling LanguageVPN Virtual Private NetworkW3C World Wide Web Consortion - W3ZCOV Zero-cong OpenVPN

    vi

  • Chapter 1

    Introduction

    1.1 The Context and the Purpose

    During the Second World War people became more aware of the value of information. Itbecame clear that information could be used as a weapon. Who had access to information,had advantages over their opponents. In that context, information exchange became a majorconcert for the every military department. The US government invested a lot of founds forfounding a secure way of exchanging information across various location on the globe. Todaywe can see the result: the Internet as we know it.

    Soon, new demands emerged. First, privacy: information exchanged between two users in theInternet wanted to be invisible for an external user. Secondly, security: no other user shouldbe able to see and understand the information being exchanged. These new requirementsdetermined the apparition and development of virtual private networks.

    So we are interested in a solution for easily linking users from dierent areas of the globe sothat they could exchange information in a secure and private environment with no need forcomplicated congurations and settings. This is the purpose of this project. ZCOV is anapplication developed for creating and managing virtual private networks, providing users aneasy to use interface and a lot of facilities to ensure security and privacy.

    1.2 Summary

    Chapter 2 of this paper present the state of the art: how can we use the Int