Asus Transformer Pad Infinity
Security

Several applications need to authenticate to cloud services using a stored, stealable password.

• Xabber -- XMPP/Jabber instant message client.
• CIFSMount -- Mounting directories from a Samba or Windows flle server.

Since CIFS is not intrinsically encrypted and the strength of protection in authentication is believed to not be great, I would like to set up a secure tunnel to the cloud server.

Several of my cloud services (OOBA, SquirrelMail) will accept an X.509 certificate for authentication. How well do the various browsers handle X.509 certificates? First step is to download the CFT root certificate, then my personal cert and key as a PKCS#12 file. (Actually the root certificate is included in the PKCS#12 file, but it's nicer to give it its own friendly name.) It is possible to import certs that have been copied to the SD card, but I will import them using the Android browser from the CFT certificate service. Importing both certificates was successful with no hassle. Each one wanted a friendly name, and the PKCS#12 file's key is encrypted so it wanted the password. There appears to be no master password on the certificate storage. The Android browser was able to wield the secret key for admission to web pages requiring X.509 authentication: jimc's secure test area, and OOBA. This is in CyaogenMod-10.1 based on Android 4.2.x Super Jelly Bean. Formerly in CyanogenMod-9 based on Android-4.0 Ice Cream Sandwich, the Android browser would crash when the server demanded a certificate. Firefox-22.0 (Mobile) was able to use the installed root certificate to believe in the host certificate which the server proferred when making a TLS connection for the secure test page. However, when I navigated to my secure test area, requiring the client to authenticate with a X.509 certificate, Firefox was unable to create the TLS connection. Similarly an older version failed to do so in Cyanogenmod-9 based on ICS.

Setting up IPSec on the Server

I first considered Racoon (sic) (correct spelling is raccoon) as my IPSec server. This is in the ipsec-tools package (already installed). The latter package is actively maintained, but Racoon is the major product of the KAME project which is now finished. Racoon supports IKE (Internet Key Exchange) version 1. There is an upgraded protocol, version 2, and a modified Racoon2 which can do it, but it is not available on the SuSE Build Service.

The Strongswan package (strongswan-ipsec) does do IKEv2 and it is available on the SuSE Build Service as well as in the online updates. You need to install these packages:

• strongswan-ipsec (required)
• strongswan-sqlite (one or the other backend is required)
• strongswan-mysql (overkill unless you have thousands of users)
• strongswan-doc (optional)
• strongswan-nm (for a laptop using NetworkManager)
• strongswan (one README saying IKEv1 is deprecated)

An advantage of StrongSwan is that it is available for Android, so bug-for-bug interoperability is assured :-) The documentation indicates that it has evolved from FreeS/WAN and OpenS/WAN, which developed geopolitical issues and became extinct. This is the documentation wiki and bug reporting site for Strongswan.

This Diploma Thesis by Wolfgang Langer (2009-08-10) discusses the issues in using IPSec. It focusses on Racoon but is useful as an introduction, for other software like StrongSwan.