OpenVPN Cryptography and NIST SP800-57

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Johnny86
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 23, 2021 8:19 pm

OpenVPN Cryptography and NIST SP800-57

Post by Johnny86 » Tue Feb 23, 2021 9:07 pm

Hello everyone, hope you are keeping well and can advise on the following:
I'd like to know the answer to the following: Does OpenVPN utilise robust cryptography as per the NIST SP800-57 guidance?
On the OpenVPN website the following answer is provided to the question "What security practices/framework is the program based on? (NIST, ISO, etc)"
The OpenVPN program is a publicly audited open source project with a track record of many years of excellent security.
The above Q&A can be found at https://openvpn.net/openvpn-compliance/
The fact there is neither a straightforward Yes/No to be taken from the above leads me to believe the answer is No - beacuse if it was based on NIST guidance then surely they would say so? Happy to be corrected should I be wrong with this assumption.
Any guidance you can offer would be much appreciated.
All my best
Johnny

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 35
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Cryptography and NIST SP800-57

Post by openvpn_inc » Thu Feb 25, 2021 3:53 pm

Hello,

I would say that in order to make OpenVPN completely compliant with those requirements, that you would need to actually disable parts of OpenVPN that allow other cryptographic options. Probably have to do something about your environment that OpenVPN runs in too. This document reads similar to FIPS-140 and also references it. Usually such documents say something along the lines of "you have to use these ciphers and if your solution supports anything else then it's not compliant".

Our commercial products use ciphers and methods generally recommended in those documents like AES-256 for example. But at best you can make it compliant to the degree that if you use the correct (usually default) settings then you should be (mostly) compliant. But if you are getting audited on this, then I figure the only real option is to compile your own version of OpenVPN where you neuter everything that doesn't meet what's in that document.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.nets/support

Johnny86
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 23, 2021 8:19 pm

Re: OpenVPN Cryptography and NIST SP800-57

Post by Johnny86 » Fri Feb 26, 2021 6:57 pm

Hello Johan,
Thank you very much indeed for your message - it is most helpful.
All my very best
Johnny

Post Reply