Page 1 of 1

HMAC authentification

Posted: Sun May 13, 2018 10:20 pm
by M_Kalash

I'm new to cryptography, and i'm using OpenVPN in pfsense. I've read a lot on the internet about HMAC, and found out that it is used as a signature sent along with data to provide authenticity. What i also read, is that HMAC uses 2 keys derived from the master key, which was generated during the key exchanges under SSL/TLS handshake.
So here is my question, what does tls authentication option do then? This is the description provided:
A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
This confuses me. do we generate 2 HMAC signatures? one before the handshake and one during the handshake? or do we use 1 method and drops the other?

Re: HMAC authentification

Posted: Mon May 14, 2018 12:49 pm
by Pippin
Please see --tls-auth file [direction] in manual 2.4 for a bit more explanation: ... n24ManPage