Cryptography is used to securely communicate between participants. Encrypted data can be sent over insecure connections because it is very hard (practically impossible) to decrypt this data without having a digital secret key.
There are two main types of cryptography:
Also known as as symmetric-key cryptography. Both sides have same, shared key.
Cons: Does not allow scenarios of any complexity as trust can not be delegated. No clear way to revoke trust after the key was compromised, one have to explicitly reconfigure peers’ configurations.
Also known as asymmetric cryptography. Each side has it’s own key. Such key has two parts: private and public. Private key should never leave the device it was generated on. Private key allows decryption of data that was encrypted for it, using the public part of the key. Public part can be sent over the internet.
Pros: trust can be delegated by signing additional certificates and validating the signature by other participants. Certificates and therefore trust are limited in time and can be revoked. This allows flexibility.
Cons: requires infrastructure
VPN is a software that secures traffic between two communicating sides. Each side can be a single computer or a computer network. Typical VPN bridges between corporate office network and a laptop of an employee. When connected using VPN, the employee can access office servers that reside inside office network. Typical servers on corporate network are Exchange mail server, file sharing servers, etc. Corporate servers usually not exposed directly to the internet for security reasons. VPN requires both sides to be authenticated and authorized. This is done using usernames and passwords in some cases but cryptographic certificates are believed to be better alternatives.
As mentioned above, information can be encrypted using public part of cryptographic key. How is it possible to determine that the key belongs to whoever it claims to be? That’s what certificates are for. Cryptographic certificate binds two things together: identity (such as google.com) and a public key. How one can trust a certificate? That’s what PKI is for.
Public key infrastructure is a way to work with certificates and ensure trust chains. Trust chain starts at a Certificate Authority (CA), one of many world-wide trusted companies. CA certificates are typically installed on computers (PCs, Macs, servers) during operating system installation. This allows your browser to decide which sites are trusted when surfing to HTTPS sites.
Each CA can be imagined as pyramid’s top. Certificates signed by CA are automatically trusted by the PKI-implementing software. These could be imagined as the pyramid level just below the pyramid’s top. Certificates signed by certificates that are signed by CA are also trusted and so on, till we reach the bottom of the pyramid. Certificates at the bottom are the ones that are used to authenticate sites (Google, Facebook, etc) and less frequently – people. Common height of such pyramids is 2 to 4 levels, including top and bottom.
Private, also called “self-signed” CA is yet another pyramid’s top, except in this case, it does not belong to a publicly trusted CA company.
Typical installation of StrongSwan VPN (and some other VPNs) relies on private CA. This CA is used to issue (sign) both VPN server certificate, which is used to authenticate the VPN server and VPN clients’ certificates to authenticate VPN clients.
iOS devices such as iPhone require that the VPN server’s certificate will be a trusted certificate. Trusted in this context means that there is a trust path from any publicly trusted CA (pyramid’s top) to the given certificate. In case of private CA, there will be no publicly trusted CA up the chain. The solution is to install private CA certificate on the device along the trusted public CA certificates.
Installing private CA on a device is dangerous. If private CA certificate is compromised, all encrypted communications of the device can be listened to (decrypted) and tampered with. The exception to this horrible rule is few more security-aware companies which use special techniques to protect themselves and their clients. Compromise of a CA certificate means that fake certificates can be issued for any site the device tries to access, benefiting the attacker and allowing him/her to decrypt and tamper with traffic. Compromise of private CA is more likely to happen as it’s not handled by companies which entire orientation is PKI and security. Such compromise is also more likely to be undetected for longer period of time.
For proper credentials revocation checks, additional setup is required which is sometimes neglected and done in hurry when the first revocation should be done.
See our video: Gatekeeper managing StrongSwan.
Beame Gatekeeper with StrongSwan plugin can be used instead of private CA management. In contrast to private CA, certificates issued using Beame Gatekeeper are signed by publicly trusted CA. This means that additional (private) CA certificate is not required to be installed on the iOS device.
Beame Gatekeeper allows to create certificate and VPN settings file for an iOS device. Setting up StrongSwan VPN on an iOS device is now as easy as scanning the QR shown in web administration interface and another few touches on the mobile device.
Beame Gatekeeper updates StrongSwan configuration files once per minute adding cryptographic identities of new users and removing revoked identities. Beame Gatekeeper disconnects any users that are currently connected, whose identities were revoked.
Correct credentials revocation does not require additional effort. Hitting “Revoke” in Beame Gatekeeper’s web administration interface is enough for VPN service reconfiguration.