OpenVPN Support for ECC and XOR obfuscation added

Thursday, September 4, 2014

In the last few days we rolled out an important update on all our VPN servers and we released a new version of our Windows VPN Client software. The new software release features some important changes within the core OpenVPN code, as well as bug fixes and cosmetic improvements. Update: our software for Mac OS was also updated to support the new features. 

- If you are still using version 1.1 (check version in the lower-left corner of our software), download the latest software for Windows (version 2.0) as a zip archive or self-extracting binary. (software screenshot)
- If you downloaded the software in the last week, you don't need to update it as you are most likely already using it.
- If you need to use OpenVPN with ECC and XOR obfuscation on Linux, get in touch with us.

ECC (Elliptic Curve Cryptography) support

We introduced support for Elliptic Curve Cryptography along with TLS 1.2. Elliptic Curve is one of the most powerful types of cryptography today, it is future-proofing and is arguably significantly more secure than RSA. However, its level of security depends on the curves being used: some being more secure than others. In our implementation we decided to use the secp256k1 elliptic curve, that is not part of the NIST standard. The design of NIST curves raised many questions and consensus is that they are likely backdoored by the NSA.

The curve secp256k1 is used within the Bitcoin protocol and that serves as a good reason to trust it over the curves supported by NIST and NSA. ECC is being used during the OpenVPN tunnel authentication and key exchange, which is the most important part of VPN communication. For data-channel encryption we are using AES 128-bit, to benefit from the modern Intel CPUs providing hardware acceleration for AES encryption. ECC is also supported on Android devices (with the app OpenVPN for Android) and 128-bit AES is using less processing power, resulting in better battery-life than using AES-256.

ECDHE (Elliptic Curve Diffie–Hellman with Forward Secrecy) is now being used instead of regular DHE. 

This is a sample of what you should see in the connection log when connecting using OpenVPN ECC: 
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384

Obfuscation support for OpenVPN (XOR cipher), optimized for censored networks (e.g., China)

Obfuscating the OpenVPN protocol makes it look like regular SSL traffic or an unknown encrypted protocol, making it harder to be detected & blocked by Firewalls with DPI capabilities relying on protocol signatures to identify known VPN protocols. This is the case in China, where default OpenVPN implementations are blocked almost immediately. While our AES 256-bit implementation is still stealthy and working in China, we added one more protocol-type to bypass the GFW. It runs on several ports including TCP port 443 (HTTPS), replacing an instance of OpenVPN Blowfish 128-bit we used with port TCP/443. With this method, the handshake packets are obfuscated so it's not possible to identify the traffic as being part of an OpenVPN tunnel. Encryption relies on RSA 4096-bit + ECDHE for key-exchange, AES 128-bit for data channel.

If you are in China, we recommend to use this type of OpenVPN.

Making the software immune to DNS blocking

Sometimes when connecting from heavily-censored networks, there were problems getting the lists of our servers in the software, as well as connecting to servers by name. With this update, it's no longer possible for ISPs to do any DNS blocking in order to block users connecting to the VPN servers.

Fixed an issue with the geo-IP service displaying the IP/location in software

There was a problem with the geo-location service used to display the IP address and location in the software. It's been fixed by improving the internal geo-location service with a strong emphasis on high-availability: it is now available on 6 servers on 3 continents, so the likelihood for this issue to repeat is virtually non-existent.

Some more improvements and new service features are currently under development and we will provide details as soon as they are available. One of the new features being implemented as we speak is the ability to access streaming services from different countries while being connected to VPN locations where those services are not available: for example accessing US Netflix while being connected to the VPN in France or Romania. 

The Client Area has been updated too and it is now responsive/mobile-friendly.

Feedback and suggestions are always welcome. 

Recommended reading on Elliptic Curve Cryptography

A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography

Satoshi’s Genius: Unexpected Ways in which Bitcoin Dodged Some Cryptographic Bullets

Black Hat: Elliptic curve cryptography coming as smarter algorithms threaten RSA

ECC (Wikipedia)

secp256k1 (bitcoin.it)

Are the NIST Standard Elliptic Curves Back-doored?

« Back