iOS client security question

[lalamper]

Hi,

I am using your OpenVPN iOS client app on my iPad with satisfaction, it really rocks.
However, I have some question from security point of view, I hope you can make it clear.

I use the "standard way" to import profiles, keys, and certs to my device, I mean I add them with iTunes as a simple files and everything works fine.

Now, I would like to import some very important and confidential profiles as well, but before doing so, I need to know how and where my keys and certs stored inside the device. I know that it is also possible to import them as PKCS12, but in that case iOS keychain is used to store them, which is safe from one side, but I think it is unsecure, because my secrets can leave the device (iCloud backup)

I would like to avoid to make it possible to get my keys and certs out of my device, that is why I prefer store them locally. I do not trust in cloud. You know, this NSA and other issues are in the air..

Of course, I can exclude OpenVPN client app from iCloud backup, but I am not sure if it is enough.

How do you see this?
Thanks,

[jamesyonan]

OpenVPN Connect on iOS saves/accesses all profiles using the iOS VPN Framework APIs.

The only times that a profile touches the iOS filesystem as a flat file is:

(a) when iTunes/Safari/Mail is used to import a profile onto the device,

(b) OpenVPN Connect versions before 1.0.3 write the profile to a temporary file during connect then immediately delete the file.

For maximum security, I would suggest importing the client cert/private key into the iOS Keychain and remove it from the profile.

Be sure to use a strong device-level password, as this password essentially protects the iOS Keychain. Even though the iOS master password uses at least 10,000 PBKDF2 iterations to slow down automated password cracking, modern GPU-assisted password cracking rigs can achieve 1 billion iterations per second.

OpenVPN Connect also fully supports the OpenVPN challenge/response protocol, so you can add a challenge/response to your authentication procedure.

Having a strong password that is authenticated by the server and not saved on the device is a good defense against brute-forcing, as long as the server locks out the profile after a small number of authentication failures.

The OpenVPN Access Server supports both challenge/response authentication (such as Google Authenticator) and profile lockout after repeated authentication failures.

James

[lalamper]

Hi James,

Thanks for your answer!

I have successfully stored my keys/certs in iOS keychain using pkcs12 file and I can connect easily.
However, when I was using normal profiles (not keychain integrated) I was able to encode the key files before importing and OpenVPN Connect asked for this password before connection.
After using the keychain to store secrets, I was not able to set up password, which is requested before connection. The only password I can set is the "export password", which needs when I want to add p12 file to the keychain. It is requested only one time.

Is it possible to use password before connect with keys/certs in the keychain? (I know challenge/response method also possible, but it is another thing)

By the way, I think most of the people are using 4 digit passlock code to protect their device, because using strong and difficult device level password makes everyday use very uncomfortable.
How much my secrects protected if I am using 4 digit passlock code?

Thanks,
L.