| version 1.10, 1998/02/23 18:36:03 |
version 1.11, 1998/02/23 18:40:25 |
|
|
| can be classified into three different aspects:<p> |
can be classified into three different aspects:<p> |
| |
|
| <ul> |
<ul> |
| <li> <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ... |
<li><a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ... |
| <li> <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ... |
<li><a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ... |
| <li> <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ... |
<li><a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ... |
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
|
|
| numbers which have certain important properties for system security:<p> |
numbers which have certain important properties for system security:<p> |
| |
|
| <ul> |
<ul> |
| <li> It should be impossible for an outsider to predict the output of the |
<li>It should be impossible for an outsider to predict the output of the |
| random number generator even with knowledge of previous output. |
random number generator even with knowledge of previous output. |
| <li> The generated numbers should not have repeating patterns which means |
<li>The generated numbers should not have repeating patterns which means |
| the PRNG should have a very long cycle length. |
the PRNG should have a very long cycle length. |
| </ul> |
</ul> |
| |
|
| Since a PRNG is normally just an algorithm where the same initial |
Since a PRNG is normally just an algorithm where the same initial |
|
|
| routines and are exported via devices to userland programs. |
routines and are exported via devices to userland programs. |
| In OpenBSD random numbers are used in many places, such as<p> |
In OpenBSD random numbers are used in many places, such as<p> |
| <ul> |
<ul> |
| <li> ports of a bound socket, |
<li>ports of a bound socket, |
| <li> PIDs of processes, |
<li>PIDs of processes, |
| <li> RPC transaction IDs, |
<li>RPC transaction IDs, |
| <li> DNS Query-IDs, |
<li>DNS Query-IDs, |
| <li> inode generation numbers and |
<li>inode generation numbers and |
| <li> password salts. |
<li>password salts. |
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
|
|
| A Hash Function compresses its input data to a string of |
A Hash Function compresses its input data to a string of |
| constant size. For a Cryptographic Hash Function it is infeasible to find |
constant size. For a Cryptographic Hash Function it is infeasible to find |
| <ul> |
<ul> |
| <li> two inputs which have the same output (collision resistant), |
<li>two inputs which have the same output (collision resistant), |
| <li> a different input for a given input with the same output (2nd preimage resistant). |
<li>a different input for a given input with the same output |
| |
(2nd preimage resistant). |
| </ul> |
</ul> |
| |
|
| In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g. |
In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g. |
| <ul> |
<ul> |
| <li> in S/Key to provide one time passwords, |
<li>in S/Key to provide one time passwords, |
| <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/> |
<li>in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/> |
| IPSec or Photuris</a> to authenticate the data origin of packets |
IPSec or Photuris</a> to authenticate the data origin of packets |
| and to ensure packet integrity. |
and to ensure packet integrity. |
| </ul> |
</ul> |
|
|
| <p> |
<p> |
| <a name=trans> |
<a name=trans> |
| <h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3> |
<h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3> |
| Cryptographic Transforms are used to encrypt and decrypt data. There are |
Cryptographic Transforms are used to encrypt and decrypt data. These |
| normally provided with an encryption key for data encryption and with a |
are normally used with an encryption key for data encryption and with |
| decryption key for data decryption. The security of a Cryptographic Transform |
a decryption key for data decryption. The security of a Cryptographic |
| should rely only on the keying material. |
Transform should rely only on the keying material.<p> |
| |
|
| OpenBSD provides, e.g. DES and Blowfish encryption for the kernel and userland |
OpenBSD provides transforms like DES and Blowfish for the kernel and userland |
| programs, which are used, e.g. |
programs, which are used in many places like |
| <ul> |
<ul> |
| <li> in libc for creating Blowfish passwords, |
<li>in libc for creating Blowfish passwords, |
| <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a> |
<li>in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a> |
| to provide confidentiality for the network layer, |
to provide confidentiality for the network layer, |
| <li> in kerberized telnet, |
<li>in kerberized telnet, |
| <li> in Photuris to protect the exchanged packet content. |
<li>in Photuris to protect the exchanged packet content. |
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to crypto.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www