version 1.142, 2014/05/02 18:55:39 |
version 1.143, 2014/05/02 18:58:56 |
|
|
We've been including IPsec since the OpenBSD 2.1 release in 1997. |
We've been including IPsec since the OpenBSD 2.1 release in 1997. |
<p> |
<p> |
|
|
Today cryptography is an important means for enhancing the |
|
<a href="security.html">security</a> of an operating system. The |
|
cryptography utilized in OpenBSD can be classified into various |
|
aspects, described as follows. |
|
<p> |
|
|
|
<a name="ssh"></a> |
<a name="ssh"></a> |
<h3><font color="#e00000">OpenSSH</font></h3><p> |
<h3><font color="#e00000">OpenSSH</font></h3><p> |
|
|
|
|
Roughly said, we took a free license release of ssh, OpenBSD-ifyed it. |
Roughly said, we took a free license release of ssh, OpenBSD-ifyed it. |
About a year later, we extended OpenSSH to also do SSH 2 protocol, the |
About a year later, we extended OpenSSH to also do SSH 2 protocol, the |
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0. |
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0. |
|
|
<a name="prng"></a> |
|
<h3><font color="#e00000">Pseudo Random Number Generators</font></h3><p> |
|
|
|
A Pseudo Random Number Generator (PRNG) provides applications with a stream of |
|
numbers which have certain important properties for system security:<p> |
|
|
|
<ul> |
|
<li>It should be impossible for an outsider to predict the output of the |
|
random number generator even with knowledge of previous output. |
|
<li>The generated numbers should not have repeating patterns which means |
|
the PRNG should have a very long cycle length. |
|
</ul> |
|
<p> |
|
|
|
A PRNG is normally just an algorithm where the same initial starting |
|
values will yield the same sequence of outputs. On a multiuser |
|
operating system there are many sources which allow seeding the PRNG |
|
with random data. The OpenBSD kernel uses the mouse interrupt timing, |
|
network data interrupt latency, inter-keypress timing and disk IO |
|
information to fill an entropy pool. Random numbers are available for |
|
kernel routines and are exported via devices to userland programs. |
|
|
|
<p> |
|
<a name="hash"></a> |
|
<h3><font color="#e00000">Cryptographic Hash Functions</font></h3><p> |
|
|
|
A Hash Function compresses its input data to a string of |
|
constant size. For a Cryptographic Hash Function it is infeasible to find: |
|
|
|
<ul> |
|
<li>two inputs which have the same output (collision resistant), |
|
<li>a different input for a given input with the same output |
|
(2nd preimage resistant). |
|
</ul> |
|
<p> |
|
|
|
<p> |
|
<a name="trans"></a> |
|
<h3><font color="#e00000">Cryptographic Transforms</font></h3><p> |
|
|
|
Cryptographic Transforms are used to encrypt and decrypt data. These |
|
are normally used with an encryption key for data encryption and with |
|
a decryption key for data decryption. The security of a Cryptographic |
|
Transform should rely only on the keying material.<p> |
|
|
|
<p> |
<p> |
<a name="people"></a> |
<a name="people"></a> |