Ho many devices can I connect to CryptoStorm at once? Thanks.

You can establish only one connection per Token because multiple simultaneous connections would enable man in the middle attacks.

If you want to connect multiple devices at once with only one token, you can use a Router running a current version of DD-WRT or Tomato and configure it to establish the connection. With this your whole home network will be able to run through cryptostorm_vpn.

From their twitter:

@CryptoCloudVPN wrote:in order to harden against known MiTM attacks based on session concurrency, we hard-constrain 1 token to 1 concurrent session.

...

that said, if members need device concurrency & don't want to run router-based #cryptostorm sessions, we provide at no cost.

That's true, one device per token.

On a side note: In my opinion, Crypto Storm should allow multiple devices to be connected to the service. Most of us have more than one device, desktops, laptops, tablets, smart phones, etc.... Granted that there are alternative out there which such as, dd-wrt which DesuStrike suggested but that only works for handful of customers. Offering few tokens per account or something would allow customers to use it in multiple devices. I know that there may be some challenges involved from technical aspect of it but I am positive that it's doable.

Edit: Above poster beat me to it, ignore my post please.

Should we simply email support to work out additional tokens? While I agree with the DD-WRT, etc. idea I like to have my cell devices behind VPN when I leave the house.

Greetings, I'm the staffer manning things here today and whilst I'm not really the one to answer this question "officially," I also know we don't actually have "official" rules so there's not much stopping me from taking a run at it!

It's important to remember that there's no such thing as "account" with cryptostorm. We don't have any "accounts" (I helped write the token auth systems, so I know this better than most I suppose). There are only tokens - and hashes of tokens.

Now, I can see how there's a certain pressure to reverse backwards into "accounts" - for exactly thinks like issuing a few tokens to someone to cover several devices. This might be fine on an ad-hoc basis, but I can assure you that it's not ever going to become part of the cryptostorm data model... because I'm pretty much the one who maintains that model, so I can exercise veto power.

As to why multiple sessions per token is a Bad Idea, that's clearly more of a "pj issue" but since he's off doing long-overdue academic stuff this week (not sure that's ok to release publicly, but if he's unhappy he'll let us know) and dusting off his rusty French language skills in the process, I'll take a swipe. It's like issuing two keys to the front door of your summer cottage: convenient, yes, but also an obvious security risk. More specifically, I think there's concerns that OpenVPN could "leak" session data between concurrent logins since, in its own data model, sessions are identified by login credentials and thus two sessions on the same token are in some senses one token. This is a flavour of "MiTM" but not really - more like a Sibyl attack, as I understand it. But it's crypto gibberish to me; I do tokens.

tl;dr version is that when it comes to "accounts" as you ex-colonists say: Not. Gonna. Happen. And that's 'cause of some Security Issue that is a big deal to the security side of things. But: if someone needs a few tokens, word is that the support folks will issue them. They're good like that.

We totally get that lots of folks have multiple devices and that they want to protect them - sometimes router-based connects will do that, but other times (like smartphones) that's not going to work. And when we designed the token auth model, we had lots and lots of talks about this issue - I know, as I had to sit through them. The veto came from the security issues of multiple concurrent sessions, and when that stuff gets put on the table around here, it trumps everything else. So we pulled back to one session = 1 token. In fact, I remember that feeding back into the pricing decisions we made - since we wanted to be sure it was affordable to buy multiple tokens since we can't do concurrent sessions.

That's all I know - more than I know, technically. If I'm misspeaking, surely someone will correct me. Eventually.

My answer is even more unofficial than Graze's but I can confirm everything he said.
As this is indeed a "PJ Issue" I talked at least two times with him about exactly why Cryptostorm only allows one connection per token and his answers match the one Graze has given us right now though they were more technically adept.

j/k your explanation is fine!

If anyone wants a network engineering mumbo jumbo talk version of this I am sure the team will be happy to provide.

in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet

caustic386 wrote:in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet

As in, multi-token packages? I sort of worry than any canned package like that could inadvertently create payment links between the three tokens, thereby (theoretically) providing an attack surface for someone to do correlation/traffic analysis across devices in the event they tracked back (somehow) those related-token purchases.

But perhaps I'm just deep enough in the threat assessment mindset, nowadays, that any additional exposure of attack surface makes my hair stand on end. Still and all, the less surface exposed, the less risk of successful attacks. That's the mantra, eh?

Graze wrote:

caustic386 wrote:in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet

As in, multi-token packages? I sort of worry than any canned package like that could inadvertently create payment links between the three tokens, thereby (theoretically) providing an attack surface for someone to do correlation/traffic analysis across devices in the event they tracked back (somehow) those related-token purchases.

But perhaps I'm just deep enough in the threat assessment mindset, nowadays, that any additional exposure of attack surface makes my hair stand on end. Still and all, the less surface exposed, the less risk of successful attacks. That's the mantra, eh?

So instead of saying you offer 'x tokens per package', customers can just contact support with the number of tokens they need in order to connect their devices to the cryptostorm network? Is this something you guys can keep track of? What I mean is, if some douche asks for 5 tokens for all his devices, then sells 4, or saves them so he then has 5 months of your service but only paid for one month.

I'd love to be able to connect 3 of my devices, but I don't want people to abuse the crap outta your generosity either.

I guess you could probably add a timer to those "extra" tokens so they're in line with the "main" token's expiry date. Or have a max number of tokens you give out per month to one user.

Crap, I just posted without being logged in. The post talking about 'x tokens per package' and keeping track of them was me (whenever a mod approves it).

{done ~admin}