| version 1.113, 2002/11/15 18:09:15 |
version 1.114, 2002/11/21 20:17:00 |
|
|
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict Level 2//EN//2.0"> |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| <html> |
<html> |
| <head> |
<head> |
| <title>Cryptography in OpenBSD</title> |
<link rev="made" href="mailto:www@openbsd.org"> |
| <link rev=made href=mailto:www@openbsd.org> |
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> |
| <meta name="resource-type" content="document"> |
<meta name="resource-type" content="document"> |
| <meta name="description" content="OpenBSD cryptography"> |
<meta name="description" content="OpenBSD cryptography"> |
| <meta name="keywords" content="openbsd,cryptography,openssh,openssl,kerberos"> |
<meta name="keywords" content="openbsd,cryptography,openssh,openssl,kerberos"> |
| <meta name="keywords" content="ipsec,isakmp,ike,blowfish,des,rsa,dsa"> |
<meta name="keywords" content="ipsec,isakmp,ike,blowfish,des,rsa,dsa"> |
| <meta name="distribution" content="global"> |
<meta name="distribution" content="global"> |
| <meta name="copyright" content="This document copyright 1997-2002 by OpenBSD."> |
<meta name="copyright" content="This document copyright 1997-2002 by OpenBSD."> |
| |
<title>Cryptography in OpenBSD</title> |
| </head> |
</head> |
| |
|
| <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E"> |
<body bgcolor="#ffffff" text="#000000" link="#23238e"> |
| <img align=left alt="[OpenBSD]" height=166 width=197 SRC="images/blowfish-notext.jpg"> |
<img align="left" alt="[OpenBSD]" height="166" width="197" SRC="images/blowfish-notext.jpg"> |
| <br> |
<br> |
| <br> |
<br> |
| <br> |
<br> |
|
|
| measures, including cryptography, work together."<br> |
measures, including cryptography, work together."<br> |
| <br> |
<br> |
| -- Bruce Schneier, author of "Applied Cryptography". |
-- Bruce Schneier, author of "Applied Cryptography". |
| <br clear=all> |
<br clear="all"> |
| <h2><font color=#e00000>Cryptography</font><hr></h2> |
<h2><font color="#e00000">Cryptography</font></h2> |
| |
<hr> |
| |
|
| <strong>Index</strong><br> |
<strong>Index</strong><br> |
| <a href=#why>Why do we ship cryptography?</a>.<br> |
<a href="#why">Why do we ship cryptography?</a>.<br> |
| <a href=#ssh>OpenSSH</a>.<br> |
<a href="#ssh">OpenSSH</a>.<br> |
| <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br> |
<a href="#prng">Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br> |
| <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...<br> |
<a href="#hash">Cryptographic Hash Functions</a>: MD5, SHA1, ...<br> |
| <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...<br> |
<a href="#trans">Cryptographic Transforms</a>: DES, Blowfish, ...<br> |
| <a href=#hardware>Cryptographic Hardware support</a><br> |
<a href="#hardware">Cryptographic Hardware support</a><br> |
| <a href=#people>International Cryptographers wanted</a><br> |
<a href="#people">International Cryptographers wanted</a><br> |
| <a href=#papers>Further Reading</a><br> |
<a href="#papers">Further Reading</a><br> |
| <p> |
<p> |
| <hr> |
<hr> |
| |
|
| <a name=why></a> |
<a name="why"></a> |
| <h3><font color=#e00000>Why do we ship cryptography?</font></h3><p> |
<h3><font color="#e00000">Why do we ship cryptography?</font></h3><p> |
| |
|
| In three words: <strong>because we can</strong>.<p> |
In three words: <strong>because we can</strong>.<p> |
| |
|
| The OpenBSD project is based in Canada.<p> |
The OpenBSD project is based in Canada.<p> |
| |
|
| The <a href=ECL.html>Export Control List of Canada</a> |
The <a href="ECL.html">Export Control List of Canada</a> |
| places no significant restriction on the export of |
places no significant restriction on the export of |
| cryptographic software, and is even more explicit about the free |
cryptographic software, and is even more explicit about the free |
| export of freely-available cryptographic software. Marc Plumb has |
export of freely-available cryptographic software. Marc Plumb has |
| done |
done |
| <a href=http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html> |
<a href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html"> |
| some research to test the cryptographic laws</a>. |
some research to test the cryptographic laws</a>. |
| <p> |
<p> |
| |
|
| Hence the OpenBSD project has embedded cryptography into numerous places |
Hence the OpenBSD project has embedded cryptography into numerous places |
| in the operating system. We require that the cryptographic software we |
in the operating system. We require that the cryptographic software we |
| use be <a href=policy.html>freely available and with good licenses</a>. |
use be <a href="policy.html">freely available and with good licenses</a>. |
| We do not directly use cryptography with nasty patents. |
We do not directly use cryptography with nasty patents. |
| We also require that such software is from countries with useful export |
We also require that such software is from countries with useful export |
| licenses because we do not wish to break the laws of any country. |
licenses because we do not wish to break the laws of any country. |
|
|
| has been extended to make use of Kerberos as well.<p> |
has been extended to make use of Kerberos as well.<p> |
| |
|
| |
|
| <img align=right src="images/vpnc-test-partner.gif"> |
<img align="right" src="images/vpnc-test-partner.gif" alt="VPNC TEST PARTNER"> |
| OpenBSD was the first operating system to ship with an IPsec stack. |
OpenBSD was the first operating system to ship with an IPsec stack. |
| We've been including IPsec since the OpenBSD 2.1 release in 1997. |
We've been including IPsec since the OpenBSD 2.1 release in 1997. |
| Our fully conformant in-kernel IPsec stack, with hardware acceleration |
Our fully conformant in-kernel IPsec stack, with hardware acceleration |
| based on a number of cards, and our own free ISAKMP daemon, is used as |
based on a number of cards, and our own free ISAKMP daemon, is used as |
| one of the machines in the IPsec conformance testbed run by |
one of the machines in the IPsec conformance testbed run by |
| <a href="http://www.vpnc.org">VPNC</a>. |
<a href="http://www.vpnc.org">VPNC</a>. |
| <br clear=all> |
<br clear="all"> |
| <p> |
<p> |
| |
|
| Today cryptography is an important means for enhancing the <a |
Today cryptography is an important means for enhancing the <a |
| href=security.html>security</a> of an operating system. The |
href="security.html">security</a> of an operating system. The |
| cryptography utilized in OpenBSD can be classified into various |
cryptography utilized in OpenBSD can be classified into various |
| aspects, described as follows.<p> |
aspects, described as follows.<p> |
| |
|
| <a name=ssh></a> |
<a name="ssh"></a> |
| <h3><font color=#e00000>OpenSSH</font></h3><p> |
<h3><font color="#e00000">OpenSSH</font></h3><p> |
| |
|
| What is the first thing most people do after installing OpenBSD? |
What is the first thing most people do after installing OpenBSD? |
| They install Secure Shell |
They install Secure Shell |
| (<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssh>ssh</a>) |
(<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>) |
| from the ports tree or the packages on the FTP sites. Until now, that is.<p> |
from the ports tree or the packages on the FTP sites. Until now, that is.<p> |
| |
|
| As of the 2.6 release, OpenBSD contains |
As of the 2.6 release, OpenBSD contains |
|
|
| <ul> |
<ul> |
| <li> |
<li> |
| all components of a restrictive nature (i.e., patents, see |
all components of a restrictive nature (i.e., patents, see |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ssl>ssl</a>) |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&sektion=8">ssl(8)</a>) |
| had been directly removed from the source code; any licensed or |
had been directly removed from the source code; any licensed or |
| patented components used external libraries. |
patented components used external libraries. |
| </li> |
|
| <li> |
<li> |
| had been updated to support ssh protocol 1.5. |
had been updated to support ssh protocol 1.5. |
| </li> |
|
| <li> |
<li> |
| contained added support for |
contained added support for |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=kerberos>kerberos</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kerberos&sektion=1">kerberos(1)</a> |
| authentication and ticket passing. |
authentication and ticket passing. |
| </li> |
|
| <li> |
<li> |
| supported one-time password authentication with |
supported one-time password authentication with |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>skey</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&sektion=1">skey(1)</a>. |
| </li> |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
|
|
| About a year later, we extended OpenSSH to also do SSH 2 protocol, the |
About a year later, we extended OpenSSH to also do SSH 2 protocol, the |
| result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0. |
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0. |
| |
|
| <a name=prng></a> |
<a name="prng"></a> |
| <h3><font color=#e00000>Pseudo Random Number Generators</font></h3><p> |
<h3><font color="#e00000">Pseudo Random Number Generators</font></h3><p> |
| |
|
| A Pseudo Random Number Generator (PRNG) provides applications with a stream of |
A Pseudo Random Number Generator (PRNG) provides applications with a stream of |
| numbers which have certain important properties for system security:<p> |
numbers which have certain important properties for system security:<p> |
|
|
| <li>random padding in IPsec esp_old packets. |
<li>random padding in IPsec esp_old packets. |
| <li>To generate salts for the various password algorithms. |
<li>To generate salts for the various password algorithms. |
| <li>For generating fake S/Key challenges. |
<li>For generating fake S/Key challenges. |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> |
| to provide liveness proof of key exchanges. |
to provide liveness proof of key exchanges. |
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
| <a name=hash></a> |
<a name="hash"></a> |
| <h3><font color=#e00000>Cryptographic Hash Functions</font></h3><p> |
<h3><font color="#e00000">Cryptographic Hash Functions</font></h3><p> |
| |
|
| A Hash Function compresses its input data to a string of |
A Hash Function compresses its input data to a string of |
| constant size. For a Cryptographic Hash Function it is infeasible to find: |
constant size. For a Cryptographic Hash Function it is infeasible to find: |
|
|
| In OpenBSD MD5, SHA1, and RIPEMD-160 are used as Cryptographic Hash Functions, |
In OpenBSD MD5, SHA1, and RIPEMD-160 are used as Cryptographic Hash Functions, |
| e.g:<p> |
e.g:<p> |
| <ul> |
<ul> |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>S/Key</a> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&sektion=1">S/Key(1)</a> |
| to provide one time passwords. |
to provide one time passwords. |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&sektion=4">IPsec(4)</a> |
| and |
and |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd(8)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> |
| to authenticate the data origin of packets and to ensure packet integrity. |
to authenticate the data origin of packets and to ensure packet integrity. |
| <li>For FreeBSD-style MD5 passwords (not enabled by default), see |
<li>For FreeBSD-style MD5 passwords (not enabled by default), see |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=passwd.conf&sektion=5> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=passwd.conf&sektion=5"> |
| passwd.conf(5)</a> |
passwd.conf(5)</a> |
| <li>For TCP SYN cookie support (not enabled by default), see |
<li>For TCP SYN cookie support (not enabled by default), see |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=options&sektion=4> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=options&sektion=4"> |
| options(4)</a> |
options(4)</a> |
| <li>In libssl for digital signing of messages. |
<li>In libssl for digital signing of messages. |
| </ul> |
</ul> |
|
|
| |
|
| <p> |
<p> |
| <a name="trans"></a> |
<a name="trans"></a> |
| <h3><font color=#e00000>Cryptographic Transforms</font></h3><p> |
<h3><font color="#e00000">Cryptographic Transforms</font></h3><p> |
| |
|
| Cryptographic Transforms are used to encrypt and decrypt data. These |
Cryptographic Transforms are used to encrypt and decrypt data. These |
| are normally used with an encryption key for data encryption and with |
are normally used with an encryption key for data encryption and with |
|
|
| kernel and userland programs, which are used in many places like:<p> |
kernel and userland programs, which are used in many places like:<p> |
| <ul> |
<ul> |
| <li>In libc for creating |
<li>In libc for creating |
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=blf_key">Blowfish</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=blf_key&sektion=3">Blowfish</a> |
| passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
| on this topic. |
on this topic. |
| <li>In |
<li>In |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&sektion=4">IPsec(4)</a> |
| to provide confidentiality for the network layer. |
to provide confidentiality for the network layer. |
| <li>In Kerberos and a handful of kerberized applications, like |
<li>In Kerberos and a handful of kerberized applications, like |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=telnet>telnet</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnet&sektion=1">telnet(1)</a>, |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=cvs>cvs</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1">cvs(1)</a>, |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=rsh>rsh</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rsh&sektion=1">rsh(1)</a>, |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=rcp>rcp</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a>, |
| and |
and |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=rlogin>rlogin</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rlogin&sektion=1&manpath=OpenBSD+3.1">rlogin(1)</a>. |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> |
| to protect the exchanges where IPsec key material is negotiated. |
to protect the exchanges where IPsec key material is negotiated. |
| <li>In AFS to protect the messages passing over the network, providing |
<li>In AFS to protect the messages passing over the network, providing |
| confidentiality of remote filesystem access. |
confidentiality of remote filesystem access. |
|
|
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
| <a name=hardware></a> |
<a name="hardware"></a> |
| <h3><font color=#e00000>Cryptographic Hardware Support</font></h3><p> |
<h3><font color="#e00000">Cryptographic Hardware Support</font></h3><p> |
| |
|
| OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
| such as accelerators and random number generators. |
such as accelerators and random number generators. |
| <ul> |
<ul> |
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&sektion=9"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&sektion=9"> |
| IPsec crypto dequeue</a></b><br> |
IPsec crypto dequeue</a></b><br> |
| Our IPsec stack has been modified so that cryptographic functions get |
Our IPsec stack has been modified so that cryptographic functions get |
| done out-of-line. Most simple software IPsec stacks need to do |
done out-of-line. Most simple software IPsec stacks need to do |
|
|
| these two components, as we have done. Actually, doing this gains some |
these two components, as we have done. Actually, doing this gains some |
| performance even for the software case. |
performance even for the software case. |
| <p> |
<p> |
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4"> |
| Hifn 7751</a></b><br> |
Hifn 7751</a></b><br> |
| Cards using the Hifn 7751 can be used as a symmetric cryptographic |
Cards using the Hifn 7751 can be used as a symmetric cryptographic |
| accelerator, i.e., the |
accelerator, i.e., the |
|
|
| crypto unlock algorithm). |
crypto unlock algorithm). |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lofn&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lofn&sektion=4"> |
| Hifn 6500</a></b><br> |
Hifn 6500</a></b><br> |
| This device is an asymmetric crypto unit. It has support for RSA, DSA, |
This device is an asymmetric crypto unit. It has support for RSA, DSA, |
| and DH algorithms, as well as other major big number functions. It also |
and DH algorithms, as well as other major big number functions. It also |
|
|
| both the random number generator and big number unit are working. |
both the random number generator and big number unit are working. |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nofn&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nofn&sektion=4"> |
| Hifn 7814/7851/7854</a></b><br> |
Hifn 7814/7851/7854</a></b><br> |
| This device is a packet processor and asymmetric crypto unit. It has |
This device is a packet processor and asymmetric crypto unit. It has |
| support for RSA, DSA, and DH algorithms, as well as other major big number |
support for RSA, DSA, and DH algorithms, as well as other major big number |
|
|
| packet transforms). |
packet transforms). |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ubsec&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ubsec&sektion=4"> |
| Broadcom BCM5801/BCM5802/BCM5805/BCM5820/BCM5821/BCM5822 |
Broadcom BCM5801/BCM5802/BCM5805/BCM5820/BCM5821/BCM5822 |
| (or beta chip Bluesteelnet 5501/5601)</a></b><br> |
(or beta chip Bluesteelnet 5501/5601)</a></b><br> |
| Just after the OpenBSD 2.7 release, we succeeded at adding preliminary |
Just after the OpenBSD 2.7 release, we succeeded at adding preliminary |
|
|
| some undocumented interrupt handling requirements). |
some undocumented interrupt handling requirements). |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4"> |
| Securealink PCC-ISES</a></b><br> |
Securealink PCC-ISES</a></b><br> |
| The <a href="http://www.safenet-inc.com/technology/chips/safexcel_ises.asp">PCC-ISES</a> is |
The <a href="http://www.securealink.com/pcc-ises.html">PCC-ISES</a> is |
| a new chipset from the Netherlands. We have received sample hardware |
a new chipset from the Netherlands. We have received sample hardware |
| and documentation, and work on a driver is in progress. At the moment, |
and documentation, and work on a driver is in progress. At the moment, |
| the driver is capable of feeding random numbers into the kernel entropy |
the driver is capable of feeding random numbers into the kernel entropy |
|
|
| |
|
| <li><b>SafeNet SafeXcel 2141</b><br> |
<li><b>SafeNet SafeXcel 2141</b><br> |
| We have received documentation and sample hardware for the |
We have received documentation and sample hardware for the |
| <a href="http://www.safenet-inc.com/technology/chips/safexcel_2141.asp">SafeNet</a> |
<a href="http://www.safenet-inc.com/technology/chips/Chip2141.asp">SafeNet</a> |
| crypto cards. Work to support at least the symmetric cryptography of |
crypto cards. Work to support at least the symmetric cryptography of |
| these devices has started. |
these devices has started. |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=txp&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=txp&sektion=4"> |
| 3com 3cr990</a></b><br> |
3com 3cr990</a></b><br> |
| 3com gave us a driver to support the ethernet component of this chipset, |
3com gave us a driver to support the ethernet component of this chipset, |
| and based on that, we have written our own ethernet driver. This driver |
and based on that, we have written our own ethernet driver. This driver |
|
|
| documentation). |
documentation). |
| <p> |
<p> |
| |
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
| Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
| The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
| contains a random number generator (RNG). High-performance IPsec |
contains a random number generator (RNG). High-performance IPsec |
|
|
| |
|
| <p> |
<p> |
| <b>If people wish to help with writing drivers, |
<b>If people wish to help with writing drivers, |
| <a href=#people>come and help us</a>.</b> |
<a href="#people">come and help us</a>.</b> |
| |
|
| <p> |
<p> |
| <a name=people></a> |
<a name="people"></a> |
| <h3><font color=#e00000>International Cryptographers Wanted</font></h3><p> |
<h3><font color="#e00000">International Cryptographers Wanted</font></h3><p> |
| |
|
| Of course, our project needs people to work on these systems. If any |
Of course, our project needs people to work on these systems. If any |
| non-American cryptographer who meets the constraints listed earlier is |
non-American cryptographer who meets the constraints listed earlier is |
|
|
| please contact us.<p> |
please contact us.<p> |
| |
|
| <p> |
<p> |
| <a name=papers></a> |
<a name="papers"></a> |
| <h3><font color=#e00000>Further Reading</font></h3><p> |
<h3><font color="#e00000">Further Reading</font></h3><p> |
| |
|
| A number of papers have been written by OpenBSD team members, about |
A number of papers have been written by OpenBSD team members, about |
| cryptographic changes they have done in OpenBSD. The postscript |
cryptographic changes they have done in OpenBSD. The postscript |
|
|
| |
|
| <ul> |
<ul> |
| <li>A Future-Adaptable Password Scheme.<br> |
<li>A Future-Adaptable Password Scheme.<br> |
| <a href=events.html#usenix99>Usenix 1999</a>, |
<a href="events.html#usenix99">Usenix 1999</a>, |
| by <a href=mailto:provos@openbsd.org>Niels Provos</a>, |
by <a href="mailto:provos@openbsd.org">Niels Provos</a>, |
| <a href=mailto:dm@openbsd.org>David Mazieres</a>.<br> |
<a href="mailto:dm@openbsd.org">David Mazieres</a>.<br> |
| <a href=papers/bcrypt-paper.ps>paper</a> and |
<a href="papers/bcrypt-paper.ps">paper</a> and |
| <a href=papers/bcrypt-slides.ps>slides</a>. |
<a href="papers/bcrypt-slides.ps">slides</a>. |
| <p> |
<p> |
| <li>Cryptography in OpenBSD: An Overview.<br> |
<li>Cryptography in OpenBSD: An Overview.<br> |
| <a href=events.html#usenix99>Usenix 1999</a>, |
<a href="events.html#usenix99">Usenix 1999</a>, |
| by <a href=mailto:deraadt@openbsd.org>Theo de Raadt</a>, |
by <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>, |
| <a href=mailto:niklas@openbsd.org>Niklas Hallqvist</a>, |
<a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a>, |
| <a href=mailto:art@openbsd.org>Artur Grabowski</a>, |
<a href="mailto:art@openbsd.org">Artur Grabowski</a>, |
| <a href=mailto:angelos@openbsd.org>Angelos D. Keromytis</a>, |
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>, |
| <a href=mailto:provos@openbsd.org>Niels Provos</a>.<br> |
<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br> |
| <a href=papers/crypt-paper.ps>paper</a> and |
<a href="papers/crypt-paper.ps">paper</a> and |
| <a href=papers/crypt-slides.ps>slides</a>. |
<a href="papers/crypt-slides.ps">slides</a>. |
| <p> |
<p> |
| <li>Implementing Internet Key Exchange (IKE).<br> |
<li>Implementing Internet Key Exchange (IKE).<br> |
| <a href=events.html#usenix2000>Usenix 2000</a>, |
<a href="events.html#usenix2000">Usenix 2000</a>, |
| by <a href=mailto:niklas@openbsd.org>Niklas Hallqvist</a> and |
by <a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a> and |
| <a href=mailto:angelos@openbsd.org>Angelos D. Keromytis</a>.<br> |
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>.<br> |
| <a href=papers/ikepaper.ps>paper</a> and |
<a href="papers/ikepaper.ps">paper</a> and |
| <a href=papers/ikeslides.ps>slides</a>. |
<a href="papers/ikeslides.ps">slides</a>. |
| <p> |
<p> |
| <li>Encrypting Virtual Memory</a><br> |
<li>Encrypting Virtual Memory.<br> |
| <a href=events.html#sec2000>Usenix Security 2000</a>, |
<a href="events.html#sec2000">Usenix Security 2000</a>, |
| <a href=mailto:provos@openbsd.org>Niels Provos</a>.<br> |
<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br> |
| <a href=papers/swapencrypt.ps>paper</a> and |
<a href="papers/swapencrypt.ps">paper</a> and |
| <a href=papers/swapencrypt-slides.ps>slides</a>. |
<a href="papers/swapencrypt-slides.ps">slides</a>. |
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
| <hr> |
<hr> |
| <a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> |
<a href="index.html"><img height="24" width="24" src="back.gif" border="0" alt="OpenBSD"></a> |
| <a href=mailto:www@openbsd.org>www@openbsd.org</a> |
<a href="mailto:www@openbsd.org">www@openbsd.org</a> |
| <br> |
<br> |
| <small>$OpenBSD$</small> |
<small>$OpenBSD$</small> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to crypto.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www