LogMeIn Hamachi Security

At LogMeIn, we take the security and protection of your important files, data, and personal information very seriously. Our products are architected with security being the most important design objective. As part of this commitment our datacenters and source code are continually reviewed by independent, accredited third party audit firms to ensure data that your information remains confidential.

All communications by LogMeIn products use industry-standard algorithms and protocols for encryption and authentication. Nobody will be able to see or access the data transmitted between your computers - not even us.

Architecture

LogMeIn Hamachi's security is end-to-end: two Hamachi nodes exchange information with each other after mutual authentication and session key agreement. While node-to-node traffic (that is, regular VPN flow) typically bypasses LogMeIn's servers and is sent directly from one point to the other, even traffic that has to be relayed through a server is secured and encrypted at the endpoints.

Authentication

Authentication, in short, is the process of verifying endpoint, user and server identities. This step, at the beginning of a connection, ensures that data is only exchanged between the correct parties.

Authentication ensures that the identities of everyone in your Hamachi networks, from the LogMeIn Hamachi servers to your Hamachi nodes, are verified.
The LogMeIn servers authenticate Hamachi nodes using an RSA keypair. To log in, the node submits its Hamachi identifier and uses its private key to sign the server's challenge. The server verifies the signature and this authenticates the client.
Hamachi nodes authenticate LogMeIn's servers using an RSA keypair. When the node connects to the server, it announces which key it expects the server to have. If the server has the requested key, the login sequence commences.

Encryption

Encryption is a method that scrambles and unscrambles various pieces of information so that it can be sent securely from one location to another.

When any two entities exchange data with each other, a key exchange protocol takes place in conjunction with the obligatory authentication phase outlined above. The key exchange protocol is Diffie-Hellman with the 2048-bit MODP group as defined in RFC 3526.

Once a session key has been established, the AES-256-CBC cipher is used for data encryption and decryption, with ESP-style padding as defined in RFC 2406.
Packets are authenticated with the HMAC-SHA-1-96 (RFC 2404) variant of HMAC-SHA1 (RFC 2104).
Packets are numbered to prevent replay attacks.

Administration

Every LogMeIn Hamachi node has administrative options to help maintain the security of Hamachi networks. The following facilities are available for client-based networks:

Password protection: only users with knowledge of the network password may join the network.
Network lock: prevents users from joining a particular network.
Membership approval: new nodes submit a join request that has to be manually approved on the network owner node. It is possible to verify the thumbprint of the new node's RSA key before approval.
Member eviction / ban: Evict or permanently ban a node from a network.

Centralized Administration

With Hamachi, the recommended way to manage virtual networks is with LogMeIn.com. One account (such as a company) can own multiple nodes and multiple networks. The standard network controls, described above, are available through the web interface as well. With LogMeIn Central, it is possible to define multiple users who may log on to administer the network(s).