Previous: Encryption of network packets, Up: Security [Contents][Index]
In August 2000, we discovered the existence of a security hole in all versions of tinc up to and including 1.0pre2. This had to do with the way we exchanged keys. Since then, we have been working on a new authentication scheme to make tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc 1.0pre4. Due to a lack of sequence numbers and a message authentication code for each packet, an attacker could possibly disrupt certain network services or launch a denial of service attack by replaying intercepted packets. The current version adds sequence numbers and message authentication codes to prevent such attacks.
On the 15th of September 2003, Peter Gutmann posted a security analysis of tinc 1.0.1. He argues that the 32 bit sequence number used by tinc is not a good IV, that tinc’s default length of 4 bytes for the MAC is too short, and he doesn’t like tinc’s use of RSA during authentication. We do not know of a security hole in the legacy protocol of tinc, but it is not as strong as TLS or IPsec.
The Sweet32 attack affects versions of tinc prior to 1.0.30.
On September 6th, 2018, Michael Yonly contacted us and provided proof-of-concept code that allowed a remote attacker to create an authenticated, one-way connection with a node, and also that there was a possibility for a man-in-the-middle to force UDP packets from a node to be sent in plaintext. The first issue was trivial to exploit on tinc versions prior to 1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this weakness much harder to exploit. These issues have been fixed in tinc 1.0.35.
This version of tinc comes with an improved protocol, called Simple Peer-to-Peer Security (SPTPS), which aims to be as strong as TLS with one of the strongest cipher suites. None of the above security issues affected SPTPS. However, be aware that SPTPS is only used between nodes running tinc 1.1pre* or later, and in a VPN with nodes running different versions, the security might only be as good as that of the oldest version.
Cryptography is a hard thing to get right. We cannot make any guarantees. Time, review and feedback are the only things that can prove the security of any cryptographic product. If you wish to review tinc or give us feedback, you are strongly encouraged to do so.
Previous: Encryption of network packets, Up: Security [Contents][Index]