Question on "control channel" authentication mechanism

[pqfan]

Greetings all, At first, as an older ExpressVPN customer and fan, I would like to thank the whole lightway dev community, both standard and volunteers, for keep working forward and enhancing this new secure protocol providing the ExpressVPN and other userbase with a future-proof secure internet experience.

I have a technical question, while my knowledge on this field is low to moderate, on how the actual authentication mechanism between the lightway client and server is handled (or possible ways to be handled) especially asking for the case of ExpressVPN where there is a userbase that needs to be authenticated. I do not want/need specific details, but just the general idea. I want to figure out if it is possible for the user/customer alter some or all of the authentication parameters on demand/on his own.

Thank you for your great and pioneering work.

Best regards!

[xv-pete-m]

Hi @pqfan , thanks for reaching out! :slightly_smiling_face:

Lightway itself has a pluggable authentication system. This means that it is possible to implement support for any number (well, technically 256 I think) of ways to authenticate. The most basic way to do this is with a username and password and is effectively what ExpressVPN uses today.

To answer your question on whether the user can alter some or all of the parameters, the answer is, it depends. If you build your own Lightway server and client, you are free to change anything you like and doing so is fairly straight forward. With regards to using Lightway on ExpressVPN, there is nothing that the end user can change, but as all that is provided is a username and password, there's really not a lot you could change in any case.

Hope this helps answer your question, and please do feel free to ask follow up questions :slightly_smiling_face:

[pqfan]

Hello Pete, I really thank you for your enlightening and clear reply.

Yes I also guess that credentials based authentication along with other applied enforced mechanisms is the best way for this. Since I am always talking about lightway client - server authentication, do the username and password credentials the user has set, come into any place at this whole process? I want to examine with this question that in case a user sets a strong enough/complex password it will come up to enforce his client - server auth strength. (or otherwise i guess there are "internal" credentials fetched by the ExpressVPN app e.t.c.)

Thanks again for your time, help and great work.

[xv-pete-m]

This sort of policy would generally be enforced elsewhere. For example, when setting a password, you would require it to be a certain length or contain uppercase and lowercase letters. This means that only a password that matches the policy can be set. If you have that, then it doesn't need to be enforced in the client, because entering a weak password will never match the user's actual password as they would not have been able to set it to that.

For ExpressVPN (not Lightway specific), the credentials are long and randomly generated. As such every account has strong privacy and a strong password. As these credentials are delivered directly in our apps, user's don't need to interact with the credentials at all, and so there's no additional overhead or complexity, just improved security.

Lightway itself has no mechanism to set credentials and only carries the credentials it has been configured to use, so the mechanism you describe wouldn't be necessary. However, if someone were to write a Lightway extension to allow the changing of passwords, then the issues you raise would definitely need to be taken into account and addressed.

[pqfan]

Pete, Thanks again for the direct response.

Yes I would agree that if the actual authentication credentials were user set that would possibly lead to a security leak in case these considerations were not regarded. Furthermore, hardening the security of the actual auth mechanism internally is really the best option, so I don't have to worry about that.

The only possible add-on for this mechanism would be an option for the user to "refresh" or re-new the actual auth credentials by purging the older ones and regenerating new ones, but that would require a pre-existing secure channel for these to be re-transferred. After all, you at ExpressVPN having many years of expertise in the field of the internet security, I guess you always have the first and last word on this and always pick the best available path for things to be done securely.

Thanks again and warm regards!