As we are laying a lot of focus on the VPN functionality of IPFire, we did some changes on the ciphers that are used for IPsec and OpenVPN.
Some additional algorithms for encryption and the key exchange have been added.
IPsec allows using the Camellia cipher that has been developed by Mitsubishi and NTT Japan. Performance and security-wise, it is very similar to AES. It supports keys of different lengths up to 256 bits.
As an alternative to the earlier introduced elliptic curves that were specified by NIST, more elliptic curves have been added. Those curves are standardized in RFC 5639 by Merkle and Jochter who work for Bundesamt für Sicherheit in der Informationstechnik (BSI) and secunet Security Networks.
With those two additions, it is possible to use cryptography that has not been standardized by an American government institution.
On new installations, the default algorithm for roadwarrior networks is now AES-256-CBC. The former one was Blowfish, which has very good performance, but we think that we should always go for better security if feasible. The hardware most of you are using for IPFire is well capable of using latest ciphers.
OpenVPN is now also able to use the Camellia cipher.
Posted: January 7, 2014 • 839 views