Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Simultaneous devices w/ 1 token? | CLOSED

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at [email protected] :)

Topic Author
crazycookie

Simultaneous devices w/ 1 token? | CLOSED

Postby crazycookie » Tue Nov 19, 2013 3:28 pm

Ho many devices can I connect to CryptoStorm at once? Thanks.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Simultaneous devices

Postby DesuStrike » Tue Nov 19, 2013 3:49 pm

You can establish only one connection per Token because multiple simultaneous connections would enable man in the middle attacks.

If you want to connect multiple devices at once with only one token, you can use a Router running a current version of DD-WRT or Tomato and configure it to establish the connection. With this your whole home network will be able to run through cryptostorm_vpn.
home is where the artillery hits

User avatar

severide
Posts: 27
Joined: Sun Nov 10, 2013 1:09 am

Re: Simultaneous devices

Postby severide » Tue Nov 19, 2013 11:40 pm

From their twitter:

@CryptoCloudVPN wrote:in order to harden against known MiTM attacks based on session concurrency, we hard-constrain 1 token to 1 concurrent session.

...

that said, if members need device concurrency & don't want to run router-based #cryptostorm sessions, we provide at no cost.
cryptofree via iOS
CS Node List
CS Wiki maintained by vpnDarknet
PGP
Bitmessage: BM-2cUCkRBnNEhhW3qyNoEpRK6LtQjUs281wT


Rider
Posts: 97
Joined: Tue Jan 01, 2013 11:21 pm
Contact:

Re: Simultaneous devices

Postby Rider » Tue Nov 19, 2013 11:45 pm

That's true, one device per token.

On a side note: In my opinion, Crypto Storm should allow multiple devices to be connected to the service. Most of us have more than one device, desktops, laptops, tablets, smart phones, etc.... Granted that there are alternative out there which such as, dd-wrt which DesuStrike suggested but that only works for handful of customers. Offering few tokens per account or something would allow customers to use it in multiple devices. I know that there may be some challenges involved from technical aspect of it but I am positive that it's doable.

Edit: Above poster beat me to it, ignore my post please.


caustic386
Posts: 7
Joined: Sun Nov 17, 2013 1:12 am

Re: Simultaneous devices

Postby caustic386 » Wed Nov 20, 2013 1:18 am

Should we simply email support to work out additional tokens? While I agree with the DD-WRT, etc. idea I like to have my cell devices behind VPN when I leave the house.

User avatar

Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: Simultaneous devices

Postby Graze » Wed Nov 20, 2013 3:14 am

Greetings, I'm the staffer manning things here today and whilst I'm not really the one to answer this question "officially," I also know we don't actually have "official" rules so there's not much stopping me from taking a run at it! :-P

It's important to remember that there's no such thing as "account" with cryptostorm. We don't have any "accounts" (I helped write the token auth systems, so I know this better than most I suppose). There are only tokens - and hashes of tokens.

Now, I can see how there's a certain pressure to reverse backwards into "accounts" - for exactly thinks like issuing a few tokens to someone to cover several devices. This might be fine on an ad-hoc basis, but I can assure you that it's not ever going to become part of the cryptostorm data model... because I'm pretty much the one who maintains that model, so I can exercise veto power. :-)

As to why multiple sessions per token is a Bad Idea, that's clearly more of a "pj issue" but since he's off doing long-overdue academic stuff this week (not sure that's ok to release publicly, but if he's unhappy he'll let us know) and dusting off his rusty French language skills in the process, I'll take a swipe. It's like issuing two keys to the front door of your summer cottage: convenient, yes, but also an obvious security risk. More specifically, I think there's concerns that OpenVPN could "leak" session data between concurrent logins since, in its own data model, sessions are identified by login credentials and thus two sessions on the same token are in some senses one token. This is a flavour of "MiTM" but not really - more like a Sibyl attack, as I understand it. But it's crypto gibberish to me; I do tokens.

tl;dr version is that when it comes to "accounts" as you ex-colonists say: Not. Gonna. Happen. And that's 'cause of some Security Issue that is a big deal to the security side of things. But: if someone needs a few tokens, word is that the support folks will issue them. They're good like that.

We totally get that lots of folks have multiple devices and that they want to protect them - sometimes router-based connects will do that, but other times (like smartphones) that's not going to work. And when we designed the token auth model, we had lots and lots of talks about this issue - I know, as I had to sit through them. The veto came from the security issues of multiple concurrent sessions, and when that stuff gets put on the table around here, it trumps everything else. So we pulled back to one session = 1 token. In fact, I remember that feeding back into the pricing decisions we made - since we wanted to be sure it was affordable to buy multiple tokens since we can't do concurrent sessions.

That's all I know - more than I know, technically. If I'm misspeaking, surely someone will correct me. Eventually. :-P
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in [email protected] or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Simultaneous devices

Postby DesuStrike » Wed Nov 20, 2013 3:27 am

My answer is even more unofficial than Graze's but I can confirm everything he said.
As this is indeed a "PJ Issue" I talked at least two times with him about exactly why Cryptostorm only allows one connection per token and his answers match the one Graze has given us right now though they were more technically adept. :mrgreen:

j/k your explanation is fine!

If anyone wants a network engineering mumbo jumbo talk version of this I am sure the team will be happy to provide. ;)
home is where the artillery hits


caustic386
Posts: 7
Joined: Sun Nov 17, 2013 1:12 am

Re: Simultaneous devices

Postby caustic386 » Wed Nov 20, 2013 4:05 am

in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet

User avatar

Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: Simultaneous devices

Postby Graze » Wed Nov 20, 2013 11:10 am

caustic386 wrote:in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet


As in, multi-token packages? I sort of worry than any canned package like that could inadvertently create payment links between the three tokens, thereby (theoretically) providing an attack surface for someone to do correlation/traffic analysis across devices in the event they tracked back (somehow) those related-token purchases.

But perhaps I'm just deep enough in the threat assessment mindset, nowadays, that any additional exposure of attack surface makes my hair stand on end. Still and all, the less surface exposed, the less risk of successful attacks. That's the mantra, eh?

:-)
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in [email protected] or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

severide
Posts: 27
Joined: Sun Nov 10, 2013 1:09 am

Re: Simultaneous devices

Postby severide » Thu Nov 21, 2013 4:30 am

Graze wrote:
caustic386 wrote:in that regard, is it feasible to issue multiple tokens per purchase? 3 seems most useful due to home router/server, phone and laptop/tablet


As in, multi-token packages? I sort of worry than any canned package like that could inadvertently create payment links between the three tokens, thereby (theoretically) providing an attack surface for someone to do correlation/traffic analysis across devices in the event they tracked back (somehow) those related-token purchases.

But perhaps I'm just deep enough in the threat assessment mindset, nowadays, that any additional exposure of attack surface makes my hair stand on end. Still and all, the less surface exposed, the less risk of successful attacks. That's the mantra, eh?

:-)


So instead of saying you offer 'x tokens per package', customers can just contact support with the number of tokens they need in order to connect their devices to the cryptostorm network? Is this something you guys can keep track of? What I mean is, if some douche asks for 5 tokens for all his devices, then sells 4, or saves them so he then has 5 months of your service but only paid for one month.

I'd love to be able to connect 3 of my devices, but I don't want people to abuse the crap outta your generosity either.

I guess you could probably add a timer to those "extra" tokens so they're in line with the "main" token's expiry date. Or have a max number of tokens you give out per month to one user.

User avatar

severide
Posts: 27
Joined: Sun Nov 10, 2013 1:09 am

Re: Simultaneous devices

Postby severide » Thu Nov 21, 2013 4:33 am

Crap, I just posted without being logged in. The post talking about 'x tokens per package' and keeping track of them was me (whenever a mod approves it).

{done ~admin}
cryptofree via iOS
CS Node List
CS Wiki maintained by vpnDarknet
PGP
Bitmessage: BM-2cUCkRBnNEhhW3qyNoEpRK6LtQjUs281wT


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 15 guests

Login