OpenVPN keys

When I set up OpenVPN, I generated a 2048 bit static key. Is this key used
for the encryption of data? Or is it used only to protect generation of a
session key? If there's a session key, how long is it?

tnx jk

--

(This space intentionally left blank)

In an attempt to throw the authorities off his trail, James Knott <(E-Mail Removed)> transmitted:
> When I set up OpenVPN, I generated a 2048 bit static key. Is this
> key used for the encryption of data? Or is it used only to protect
> generation of a session key? If there's a session key, how long is
> it?

No, the "static" key is used for public key encryption.

OpenVPN supports the use of any of the ciphers provided by OpenSSL,
and a common key size for better block ciphers these days is 128 bits.

It's pretty typical for block ciphers to have _way_ fewer bits than PK
ciphers, and that doesn't mean that they'll be weaker. To the
contrary, since you don't _need_ the asymmetries of PK encryption, it
usually takes fewer fewer bits to provide encryption of similar
strength.

With RSA, for instance, people have done a lot of work building prime
number sieves and such, and it's pretty easy to crack a 128 bit RSA
key set. The same is NOT true for AES, 3DES, and the like.
--
output = reverse("gro.mca" "@" "enworbbc")
http://cbbrowne.com/info/nonrdbms.html
Q: Can SETQ only be used with numerics?
A: No, SETQ may also be used by Symbolics, and use it they do.

Christopher Browne wrote:

> In an attempt to throw the authorities off his trail, James Knott
> <(E-Mail Removed)> transmitted:
>> When I set up OpenVPN, I generated a 2048 bit static key. Is this
>> key used for the encryption of data? Or is it used only to protect
>> generation of a session key? If there's a session key, how long is
>> it?
>
> No, the "static" key is used for public key encryption.

Wouldn't that be the session key? My understanding of encryption, using
public keys, is that the the public key is only used during the creation &
exchange of a session key. So in this case, where I generate the 2048 bit
static key, it would be used in the same manner as a public key, and not
used to generate it. The session can then be regenerated at inverval, to
make the tunnel more secure.

>
> OpenVPN supports the use of any of the ciphers provided by OpenSSL,
> and a common key size for better block ciphers these days is 128 bits.
>
> It's pretty typical for block ciphers to have _way_ fewer bits than PK
> ciphers, and that doesn't mean that they'll be weaker. To the
> contrary, since you don't _need_ the asymmetries of PK encryption, it
> usually takes fewer fewer bits to provide encryption of similar
> strength.
>
> With RSA, for instance, people have done a lot of work building prime
> number sieves and such, and it's pretty easy to crack a 128 bit RSA
> key set. The same is NOT true for AES, 3DES, and the like.

--

(This space intentionally left blank)