www/crypto.html - diff

Return to crypto.html CVS log

Up to [local] / www

Diff for /www/crypto.html between version 1.9 and 1.10

-version 1.9, 1998/02/21 00:43:42
+version 1.10, 1998/02/23 18:36:03
 Line 1
 Line 1
 Line 1
- <!DOCTYPE HTML PUBLIC  "-//IETF//DTD HTML Strict//EN">
+ <!DOCTYPE HTML PUBLIC  "-//IETF//DTD HTML Strict Level 2//EN//2.0">
  <html>
  <head>
- <title>OpenBSD Cryptography</title>
+ <title>Cryptography in OpenBSD</title>
  <link rev=made href=mailto:www@openbsd.org>
  <meta name="resource-type" content="document">
- <meta name="description" content="OpenBSD Cryptography use">
+ <meta name="description" content="OpenBSD cryptography">
- <meta name="keywords" content="openbsd,main">
+ <meta name="keywords" content="openbsd,cryptography">
  <meta name="distribution" content="global">
  <meta name="copyright" content="This document copyright 1997 by OpenBSD.">
  </head>
 Line 16
 Line 16
 Line 16
  <p>
  <h3><font color=#e00000><strong>OpenBSD Cryptography</strong></font></h3>
  The OpenBSD project is based in Canada.<p>
  The <a href=http://axion.physics.ubc.ca/ECL.html>Export Control
-Line 35
+Line 34
 Line 35
 Line 34
  We also require that such software is from a countries with useful export
  licenses because we do not wish to break the laws of any country.<p>
- We use strong and weak crypto in different parts of the system:
+ When we make OpenBSD releases or snapshots we do our build processes
+ in free countries to assure that the sources and binaries we provide
+ to users are free of tainting.  In the past our release binary builds
+ have been done in Canada, Sweden, and Germany.<p>
+ Today cryptography is an important mean for enhancing the security
+ of an operating system.  The cryptography utilized in OpenBSD
+ can be classified into three different aspects:<p>
  <ul>
- <li>Strong blowfish based password entries with 128-bit salt and a
+ <li> <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...
-         strength-control mechanism for the system administrator.
+ <li> <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...
- <li>KerberosIV fully integrated.
+ <li> <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...
- <li>IPSEC with 10+ ciphers integrated into the OS.
- <li>The IPSEC <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>
-         Photuris daemon.</a>
- <li>Strong random number components are used in numerous places.
- <li>All the normal DES code is in libc (where it belongs).
- <li>DNS id pseudo-randomization.
- <li>(What have I missed?)
  </ul>
  <p>
+ <a name=prng>
+ <h3><font color=#e00000><strong>Pseudo Random Number Generators</strong></font></h3>
+ A Pseudo Random Number Generator (PRNG) provides applications with a stream of
+ numbers which have certain important properties for system security:<p>
- When we make OpenBSD releases or snapshots we do our build processes
+ <ul>
- in free countries to assure that the sources and binaries we provide
+ <li> It should be impossible for an outsider to predict the output of the
- to users are free of tainting.  In the past our release binary builds
+ random number generator even with knowledge of previous output.
- have been done in Canada, Sweden, and Germany.<p>
+ <li> The generated numbers should not have repeating patterns which means
+ the PRNG should have a very long cycle length.
+ </ul>
+ Since a PRNG is normally just an algorithm where the same initial
+ starting values will yield the same output. On a multiuser operating
+ system there are many sources which allow seeding the PRNG with random
+ data. The OpenBSD kernel uses the mouse interrupt timing, network data
+ interrupt latency, inter-keypress timing and disk IO information to
+ fill an entropy pool.  Random numbers are available for kernel
+ routines and are exported via devices to userland programs.
+ In OpenBSD random numbers are used in many places, such as<p>
+ <ul>
+ <li> ports of a bound socket,
+ <li> PIDs of processes,
+ <li> RPC transaction IDs,
+ <li> DNS Query-IDs,
+ <li> inode generation numbers and
+ <li> password salts.
+ </ul>
+ <p>
+ <a name=hash>
+ <h3><font color=#e00000><strong>Cryptographic Hash Functions</strong></font></h3>
+ A Hash Function compresses its input data to a string of
+ constant size. For a Cryptographic Hash Function it is infeasible to find
+ <ul>
+ <li> two inputs which have the same output (collision resistant),
+ <li> a different input for a given input with the same output (2nd preimage resistant).
+ </ul>
+ In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g.
+ <ul>
+ <li> in S/Key to provide one time passwords,
+ <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>
+         IPSec or Photuris</a> to authenticate the data origin of packets
+         and to ensure packet integrity.
+ </ul>
+ <p>
+ <a name=trans>
+ <h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3>
+ Cryptographic Transforms are used to encrypt and decrypt data. There are
+ normally provided with an encryption key for data encryption and with a
+ decryption key for data decryption. The security of a Cryptographic Transform
+ should rely only on the keying material.
+ OpenBSD provides, e.g. DES and Blowfish encryption for the kernel and userland
+ programs, which are used, e.g.
+ <ul>
+ <li> in libc for creating Blowfish passwords,
+ <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a>
+         to provide confidentiality for the network layer,
+ <li> in kerberized telnet,
+ <li> in Photuris to protect the exchanged packet content.
+ </ul>
+ <p>
  <hr>
- <font size="-1">
+ <a href=/index.html><img src=/back.gif border=0 alt=OpenBSD></a>
- <em>This site Copyright &copy; 1996-1998 OpenBSD.</em><br>
+ <a href=mailto:www@openbsd.org>www@openbsd.org</a>
- $OpenBSD$
+ <br>
- </font>
+ <small>$OpenBSD$</small>
- </BODY>
+ </body>
- </HTML>
+ </html>