Key Length

Post your questions about VPN Gate Academic Experiment Service here. Please answer questions if you can afford.
Post Reply
user2581
Posts: 3
Joined: Fri Jun 06, 2014 6:27 am

Key Length

Post by user2581 » Fri Jun 06, 2014 6:36 am

Hi,

Key length is now 1024 instead of 2048, Why this change?

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Key Length

Post by dnobori » Fri Jun 06, 2014 12:57 pm

Does "key length" mean the bit-length of the SSL server certificates on each VPN Gate relay servers?

If so, VPN Gate has not changed the key length since its launch on March 2013.

There are two types of SSL server certificates for VPN Gate relay servers.

Type 1: Self-signed SSL certificate (1024bit).
This kind of self-signed SSL certificate is generated automatically for each VPN Gate relay server. In order to prevent VPN packets to be found by government censorship firewalls (e.g. GFW), the CN (common name) field of each certificate is randomized string (e.g. 'abc12345.com'), in order to reduce its characteristic. (If it is not randomized, the firewall can easily identify them easily to disconnect the VPN session.)

Type 2: *.opengw.net wildcard certificate (2048bit).
This kind of RapidSSL-signed SSL certificate is not generated automatically, and each of all this type of VPN Gate relay servers has the same certificate. It is useful to support Microsoft SSTP-VPN protocol with dynamic dns (abc.opengw.net), however, it is very weak to censorship firewalls. Because firewalls can find the "*.opengw.net" bit pattern very easily by capturing packets over the border.

In order to make the censorship firewall difficult to find VPN Gate communication packets, approximately 75% of VPN Gate relay servers are using Type 1, and rest 25% servers are using Type 2.

Type 1 has been 1024bit, and Type 2 has been 2048bit for more than one year since VPN Gate launched.

user2581
Posts: 3
Joined: Fri Jun 06, 2014 6:27 am

Re: Key Length

Post by user2581 » Fri Jun 06, 2014 4:46 pm

Thanks for the answer.

replace self-signed SSL certificate 1024 to 2048 would be a good stuff for security, but i suppose there is a reason to keep 1024.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Key Length

Post by dnobori » Sat Jun 07, 2014 2:16 am

There is no reason to keep it 1024bit. It is just neglect.

internet freedom
Posts: 8
Joined: Sun Apr 27, 2014 3:46 pm

Re: Key Length

Post by internet freedom » Sat Jun 07, 2014 10:10 am

I think it's very unprofessional of those to not answer the posts here. there is obviously problems with this VPN possibly the software or those silly idiots in the censorship departments blocking it and denying people the right to an open internet where they can gain knowledge.

Astrill VPN works fine, and there is also Zenmate that is a google plugin that lets you browse any site. Goagent is another.

Softether net. why don't you just let the people know what is happening, then we would all know where we are.
Frankly speaking I would have no problem paying for this service it it worked on a regular basis. This VPN has worked quite well since it's release last year up till now.
I am glad that I also have three other VPN services that I use and if something goes wrong they always inform their users about any problems. I shall wait like many others for an ANSWER from you.
Many thanks in advance.

user2581
Posts: 3
Joined: Fri Jun 06, 2014 6:27 am

Re: Key Length

Post by user2581 » Sat Jun 07, 2014 2:25 pm

For the price, we cant find better i think. ;)
I didnt know VPNgate till last month, and this is a great stuff. My question was just about security not reliability. Anyway, with OpenVPN, all works fine for me.

Knowing that 1024 bit key are crackable and considered as weak since 2010-2011, Admin of VPNgate should take measure to ensure this great project. Is there an upgrade in prevision?

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Key Length

Post by dnobori » Sat Jun 07, 2014 4:01 pm

VPN Gate is not a guaranteed service.
It is just an academic project for writing papers.

Users who need stability and satisfying technical support should use commercial VPN services.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Key Length

Post by dnobori » Sat Jun 07, 2014 4:02 pm

Thank you for your suggestion. We will upgrade the key length in the recent future when we will be in the mood.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Key Length

Post by dnobori » Sat Jun 07, 2014 5:47 pm

The key length of random-generated self-signed root certificate has been set to 2048 bit since 2:30 A.M. June 8, 2014 (JST).

Each VPN Gate server will have 2048 bit RSA key when the timing of next global IP change.
(Since each OpenVPN configuration file for each server has inline-embedded SSL certificate, each server cannot change the current certificate in order to prevent connecting errors from users. That is why the key-change timing will postpone after next changing of global IP address.)

Post Reply