version 1.10, 1998/02/23 18:36:03 |
version 1.11, 1998/02/23 18:40:25 |
|
|
can be classified into three different aspects:<p> |
can be classified into three different aspects:<p> |
|
|
<ul> |
<ul> |
<li> <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ... |
<li><a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ... |
<li> <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ... |
<li><a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ... |
<li> <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ... |
<li><a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ... |
</ul> |
</ul> |
|
|
<p> |
<p> |
|
|
numbers which have certain important properties for system security:<p> |
numbers which have certain important properties for system security:<p> |
|
|
<ul> |
<ul> |
<li> It should be impossible for an outsider to predict the output of the |
<li>It should be impossible for an outsider to predict the output of the |
random number generator even with knowledge of previous output. |
random number generator even with knowledge of previous output. |
<li> The generated numbers should not have repeating patterns which means |
<li>The generated numbers should not have repeating patterns which means |
the PRNG should have a very long cycle length. |
the PRNG should have a very long cycle length. |
</ul> |
</ul> |
|
|
Since a PRNG is normally just an algorithm where the same initial |
Since a PRNG is normally just an algorithm where the same initial |
|
|
routines and are exported via devices to userland programs. |
routines and are exported via devices to userland programs. |
In OpenBSD random numbers are used in many places, such as<p> |
In OpenBSD random numbers are used in many places, such as<p> |
<ul> |
<ul> |
<li> ports of a bound socket, |
<li>ports of a bound socket, |
<li> PIDs of processes, |
<li>PIDs of processes, |
<li> RPC transaction IDs, |
<li>RPC transaction IDs, |
<li> DNS Query-IDs, |
<li>DNS Query-IDs, |
<li> inode generation numbers and |
<li>inode generation numbers and |
<li> password salts. |
<li>password salts. |
</ul> |
</ul> |
|
|
<p> |
<p> |
|
|
A Hash Function compresses its input data to a string of |
A Hash Function compresses its input data to a string of |
constant size. For a Cryptographic Hash Function it is infeasible to find |
constant size. For a Cryptographic Hash Function it is infeasible to find |
<ul> |
<ul> |
<li> two inputs which have the same output (collision resistant), |
<li>two inputs which have the same output (collision resistant), |
<li> a different input for a given input with the same output (2nd preimage resistant). |
<li>a different input for a given input with the same output |
|
(2nd preimage resistant). |
</ul> |
</ul> |
|
|
In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g. |
In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g. |
<ul> |
<ul> |
<li> in S/Key to provide one time passwords, |
<li>in S/Key to provide one time passwords, |
<li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/> |
<li>in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/> |
IPSec or Photuris</a> to authenticate the data origin of packets |
IPSec or Photuris</a> to authenticate the data origin of packets |
and to ensure packet integrity. |
and to ensure packet integrity. |
</ul> |
</ul> |
|
|
<p> |
<p> |
<a name=trans> |
<a name=trans> |
<h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3> |
<h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3> |
Cryptographic Transforms are used to encrypt and decrypt data. There are |
Cryptographic Transforms are used to encrypt and decrypt data. These |
normally provided with an encryption key for data encryption and with a |
are normally used with an encryption key for data encryption and with |
decryption key for data decryption. The security of a Cryptographic Transform |
a decryption key for data decryption. The security of a Cryptographic |
should rely only on the keying material. |
Transform should rely only on the keying material.<p> |
|
|
OpenBSD provides, e.g. DES and Blowfish encryption for the kernel and userland |
OpenBSD provides transforms like DES and Blowfish for the kernel and userland |
programs, which are used, e.g. |
programs, which are used in many places like |
<ul> |
<ul> |
<li> in libc for creating Blowfish passwords, |
<li>in libc for creating Blowfish passwords, |
<li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a> |
<li>in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a> |
to provide confidentiality for the network layer, |
to provide confidentiality for the network layer, |
<li> in kerberized telnet, |
<li>in kerberized telnet, |
<li> in Photuris to protect the exchanged packet content. |
<li>in Photuris to protect the exchanged packet content. |
</ul> |
</ul> |
|
|
<p> |
<p> |