===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/crypto.html,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- www/crypto.html	1998/02/21 00:43:42	1.9
+++ www/crypto.html	1998/02/23 18:36:03	1.10
@@ -1,11 +1,11 @@
-<!DOCTYPE HTML PUBLIC  "-//IETF//DTD HTML Strict//EN">
+<!DOCTYPE HTML PUBLIC  "-//IETF//DTD HTML Strict Level 2//EN//2.0">
 <html>
 <head>
-<title>OpenBSD Cryptography</title>
+<title>Cryptography in OpenBSD</title>
 <link rev=made href=mailto:www@openbsd.org>
 <meta name="resource-type" content="document">
-<meta name="description" content="OpenBSD Cryptography use">
-<meta name="keywords" content="openbsd,main">
+<meta name="description" content="OpenBSD cryptography">
+<meta name="keywords" content="openbsd,cryptography">
 <meta name="distribution" content="global">
 <meta name="copyright" content="This document copyright 1997 by OpenBSD.">
 </head>
@@ -16,7 +16,6 @@
 
 <p>
 <h3><font color=#e00000><strong>OpenBSD Cryptography</strong></font></h3>
-
 The OpenBSD project is based in Canada.<p>
 
 The <a href=http://axion.physics.ubc.ca/ECL.html>Export Control
@@ -35,32 +34,93 @@
 We also require that such software is from a countries with useful export
 licenses because we do not wish to break the laws of any country.<p>
 
-We use strong and weak crypto in different parts of the system:
+When we make OpenBSD releases or snapshots we do our build processes
+in free countries to assure that the sources and binaries we provide
+to users are free of tainting.  In the past our release binary builds
+have been done in Canada, Sweden, and Germany.<p>
 
+Today cryptography is an important mean for enhancing the security
+of an operating system.  The cryptography utilized in OpenBSD
+can be classified into three different aspects:<p>
+
 <ul>
-<li>Strong blowfish based password entries with 128-bit salt and a
-	strength-control mechanism for the system administrator.
-<li>KerberosIV fully integrated.
-<li>IPSEC with 10+ ciphers integrated into the OS.
-<li>The IPSEC <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>
-	Photuris daemon.</a>
-<li>Strong random number components are used in numerous places. 
-<li>All the normal DES code is in libc (where it belongs).
-<li>DNS id pseudo-randomization.
-<li>(What have I missed?)
+<li> <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...
+<li> <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...
+<li> <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...
 </ul>
+
 <p>
+<a name=prng>
+<h3><font color=#e00000><strong>Pseudo Random Number Generators</strong></font></h3>
+A Pseudo Random Number Generator (PRNG) provides applications with a stream of 
+numbers which have certain important properties for system security:<p>
 
-When we make OpenBSD releases or snapshots we do our build processes
-in free countries to assure that the sources and binaries we provide
-to users are free of tainting.  In the past our release binary builds
-have been done in Canada, Sweden, and Germany.<p>
+<ul>
+<li> It should be impossible for an outsider to predict the output of the
+random number generator even with knowledge of previous output.
+<li> The generated numbers should not have repeating patterns which means
+the PRNG should have a very long cycle length.
+</ul>
 
+Since a PRNG is normally just an algorithm where the same initial
+starting values will yield the same output. On a multiuser operating
+system there are many sources which allow seeding the PRNG with random
+data. The OpenBSD kernel uses the mouse interrupt timing, network data
+interrupt latency, inter-keypress timing and disk IO information to
+fill an entropy pool.  Random numbers are available for kernel
+routines and are exported via devices to userland programs.
+In OpenBSD random numbers are used in many places, such as<p>
+<ul>
+<li> ports of a bound socket,
+<li> PIDs of processes,
+<li> RPC transaction IDs,
+<li> DNS Query-IDs,
+<li> inode generation numbers and
+<li> password salts.
+</ul>
+
+<p>
+<a name=hash>
+<h3><font color=#e00000><strong>Cryptographic Hash Functions</strong></font></h3>
+A Hash Function compresses its input data to a string of
+constant size. For a Cryptographic Hash Function it is infeasible to find
+<ul>
+<li> two inputs which have the same output (collision resistant),
+<li> a different input for a given input with the same output (2nd preimage resistant).
+</ul>
+
+In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g.
+<ul> 
+<li> in S/Key to provide one time passwords,
+<li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>
+	IPSec or Photuris</a> to authenticate the data origin of packets
+	and to ensure packet integrity.
+</ul>
+
+<p>
+<a name=trans>
+<h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3>
+Cryptographic Transforms are used to encrypt and decrypt data. There are 
+normally provided with an encryption key for data encryption and with a 
+decryption key for data decryption. The security of a Cryptographic Transform
+should rely only on the keying material.
+
+OpenBSD provides, e.g. DES and Blowfish encryption for the kernel and userland
+programs, which are used, e.g. 
+<ul>
+<li> in libc for creating Blowfish passwords,
+<li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a>
+	to provide confidentiality for the network layer,
+<li> in kerberized telnet,
+<li> in Photuris to protect the exchanged packet content.
+</ul>
+
+<p>
 <hr>
-<font size="-1">
-<em>This site Copyright &copy; 1996-1998 OpenBSD.</em><br>
-$OpenBSD: crypto.html,v 1.9 1998/02/21 00:43:42 deraadt Exp $
-</font>
+<a href=/index.html><img src=/back.gif border=0 alt=OpenBSD></a>
+<a href=mailto:www@openbsd.org>www@openbsd.org</a>
+<br>
+<small>$OpenBSD: crypto.html,v 1.10 1998/02/23 18:36:03 deraadt Exp $</small>
 
-</BODY>
-</HTML>
+</body>
+</html>
