version 1.50, 1999/11/18 00:15:36 |
version 1.51, 2000/04/13 12:47:04 |
|
|
<a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br> |
<a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br> |
<a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...<br> |
<a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...<br> |
<a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...<br> |
<a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...<br> |
|
<a href=#hardware>Cryptographic Hardware support</a><br> |
<a href=#people>International Cryptographers wanted</a><br> |
<a href=#people>International Cryptographers wanted</a><br> |
<a href=#papers>Further Reading</a><br> |
<a href=#papers>Further Reading</a><br> |
<p> |
<p> |
|
|
confidentiality of remote filesystem access. |
confidentiality of remote filesystem access. |
<li>In libssl to let applications communicate over the de-facto standard |
<li>In libssl to let applications communicate over the de-facto standard |
cryptographically secure SSL protocol. |
cryptographically secure SSL protocol. |
|
</ul> |
|
|
|
<p> |
|
<a name=hardware></a> |
|
<h3><font color=#e00000>Cryptographic Hardware Support</font></h3><p> |
|
|
|
OpenBSD starting with 2.7 supports some limited cryptography hardware. |
|
<ul> |
|
<li><b>IPSEC crypto dequeue</b><br> |
|
Our IPSEC stack has been modified so that cryptographic functions get |
|
done out-of-line. Most simple software IPSEC stacks need to do |
|
cryptography when processing each packet. This results in syncronous |
|
performance. To use hardware properly and speedily one needs to seperate |
|
these two components, as we have done. Actually, doing this gains some |
|
performance even for the software case. |
|
<p> |
|
<li><b>HiFn 7751</b><br> |
|
Cards using the 7751 can be used as a cryptographic accelerator (ie. |
|
<a href="http://www.powercrypt.com">PowerCrypt</a>). |
|
Current performance using a single Hifn 7751 on each end of a tunnel |
|
is 63Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over |
|
using a P3/550 cpu. Further improvements are under way to resolve a |
|
few more issues, but as of April 13, 2000 the code is considered |
|
stable.<p> |
|
The 7751 is considered slow by industry standards and many vendors have |
|
faster chips (even HiFn now has a faster but much more expensive chip). |
|
We are already looking at supporting other chips such as |
|
<a href="http://www.ire.com/OEM/OEMTechnologyDefault.htm">IRE 2141</a>, |
|
<a href="http://www.bluesteelnet.com/product.html">Bluesteelnet 5501</a>, |
|
<a href="http://www.pcc.pijnenburg.nl/pcc-ises.htm">Pijnenburg PCC-ISES</a>, |
|
perhaps the |
|
<a href="http://www.3com.com/promotions/3c990promo/index.html">3com 3c990</a>, |
|
and others. IRE and Bluesteelnet in particular have already been very |
|
friendly, and have given us all the information we need to support their |
|
hardware. If people wish to help with writing drivers, |
|
<a href=#people>come and help us</a>. |
|
(Note: Intel (and 3com to a lesser degree) don't yet fully understand how |
|
they could benefit from giving us documentation for their cryptography |
|
cards, so feel free to contact them independently and encourage them.) |
|
|
|
<p> |
|
<li><b>Intel 82802AB/82802AC Firmware Hub RNG</b><br> |
|
The 82802 FWH chip (found on i810, i820, and i840 motherboards) contains |
|
a random number generator (RNG). High-performance IPSEC requires more |
|
random number entropy. As of April 10, 2000, we support the RNG. We |
|
will add support for other RNG's found on crypto chips. |
</ul> |
</ul> |
|
|
<p> |
<p> |