Annotation of www/crypto.html, Revision 1.10
1.10 ! deraadt 1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict Level 2//EN//2.0">
1.1 deraadt 2: <html>
3: <head>
1.10 ! deraadt 4: <title>Cryptography in OpenBSD</title>
1.1 deraadt 5: <link rev=made href=mailto:www@openbsd.org>
6: <meta name="resource-type" content="document">
1.10 ! deraadt 7: <meta name="description" content="OpenBSD cryptography">
! 8: <meta name="keywords" content="openbsd,cryptography">
1.1 deraadt 9: <meta name="distribution" content="global">
10: <meta name="copyright" content="This document copyright 1997 by OpenBSD.">
11: </head>
12:
13: <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E">
14:
15: <img alt="[OpenBSD]" SRC="/images/smalltitle.gif">
16:
17: <p>
18: <h3><font color=#e00000><strong>OpenBSD Cryptography</strong></font></h3>
19: The OpenBSD project is based in Canada.<p>
20:
1.2 deraadt 21: The <a href=http://axion.physics.ubc.ca/ECL.html>Export Control
1.3 deraadt 22: List of Canada</a> places no significant restriction on the export of
1.5 deraadt 23: cryptographic software, and is even more explicit about the free
24: export of freely-available cryptographic software. Marc Plumb has
25: done
1.2 deraadt 26: <a href=http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html>
1.5 deraadt 27: some research to test the cryptographic laws.</a>
1.2 deraadt 28: <p>
1.1 deraadt 29:
1.3 deraadt 30: Hence the OpenBSD project has embedded cryptography into numerous places
31: in the operating system. We require that the cryptographic software we
32: use be <a href=policy.html>freely available and with good licenses</a>.
1.4 deraadt 33: We do not use cryptography with nasty patents.
1.3 deraadt 34: We also require that such software is from a countries with useful export
1.7 deraadt 35: licenses because we do not wish to break the laws of any country.<p>
36:
1.10 ! deraadt 37: When we make OpenBSD releases or snapshots we do our build processes
! 38: in free countries to assure that the sources and binaries we provide
! 39: to users are free of tainting. In the past our release binary builds
! 40: have been done in Canada, Sweden, and Germany.<p>
! 41:
! 42: Today cryptography is an important mean for enhancing the security
! 43: of an operating system. The cryptography utilized in OpenBSD
! 44: can be classified into three different aspects:<p>
! 45:
! 46: <ul>
! 47: <li> <a href=#prng>Pseudo Random Number Generators</a> (PRNG): ARC4, ...
! 48: <li> <a href=#hash>Cryptographic Hash Functions</a>: MD5, SHA1, ...
! 49: <li> <a href=#trans>Cryptographic Transforms</a>: DES, Blowfish, ...
! 50: </ul>
! 51:
! 52: <p>
! 53: <a name=prng>
! 54: <h3><font color=#e00000><strong>Pseudo Random Number Generators</strong></font></h3>
! 55: A Pseudo Random Number Generator (PRNG) provides applications with a stream of
! 56: numbers which have certain important properties for system security:<p>
! 57:
! 58: <ul>
! 59: <li> It should be impossible for an outsider to predict the output of the
! 60: random number generator even with knowledge of previous output.
! 61: <li> The generated numbers should not have repeating patterns which means
! 62: the PRNG should have a very long cycle length.
! 63: </ul>
! 64:
! 65: Since a PRNG is normally just an algorithm where the same initial
! 66: starting values will yield the same output. On a multiuser operating
! 67: system there are many sources which allow seeding the PRNG with random
! 68: data. The OpenBSD kernel uses the mouse interrupt timing, network data
! 69: interrupt latency, inter-keypress timing and disk IO information to
! 70: fill an entropy pool. Random numbers are available for kernel
! 71: routines and are exported via devices to userland programs.
! 72: In OpenBSD random numbers are used in many places, such as<p>
! 73: <ul>
! 74: <li> ports of a bound socket,
! 75: <li> PIDs of processes,
! 76: <li> RPC transaction IDs,
! 77: <li> DNS Query-IDs,
! 78: <li> inode generation numbers and
! 79: <li> password salts.
! 80: </ul>
1.1 deraadt 81:
1.10 ! deraadt 82: <p>
! 83: <a name=hash>
! 84: <h3><font color=#e00000><strong>Cryptographic Hash Functions</strong></font></h3>
! 85: A Hash Function compresses its input data to a string of
! 86: constant size. For a Cryptographic Hash Function it is infeasible to find
1.1 deraadt 87: <ul>
1.10 ! deraadt 88: <li> two inputs which have the same output (collision resistant),
! 89: <li> a different input for a given input with the same output (2nd preimage resistant).
1.1 deraadt 90: </ul>
1.10 ! deraadt 91:
! 92: In OpenBSD MD5 and SHA1 are used as Cryptographic Hash Functions, e.g.
! 93: <ul>
! 94: <li> in S/Key to provide one time passwords,
! 95: <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>
! 96: IPSec or Photuris</a> to authenticate the data origin of packets
! 97: and to ensure packet integrity.
! 98: </ul>
! 99:
1.6 deraadt 100: <p>
1.10 ! deraadt 101: <a name=trans>
! 102: <h3><font color=#e00000><strong>Cryptographic Transforms</strong></font></h3>
! 103: Cryptographic Transforms are used to encrypt and decrypt data. There are
! 104: normally provided with an encryption key for data encryption and with a
! 105: decryption key for data decryption. The security of a Cryptographic Transform
! 106: should rely only on the keying material.
1.6 deraadt 107:
1.10 ! deraadt 108: OpenBSD provides, e.g. DES and Blowfish encryption for the kernel and userland
! 109: programs, which are used, e.g.
! 110: <ul>
! 111: <li> in libc for creating Blowfish passwords,
! 112: <li> in <a href=http://wserver.physnet.uni-hamburg.de/provos/photuris/>IPSec</a>
! 113: to provide confidentiality for the network layer,
! 114: <li> in kerberized telnet,
! 115: <li> in Photuris to protect the exchanged packet content.
! 116: </ul>
1.1 deraadt 117:
1.10 ! deraadt 118: <p>
1.1 deraadt 119: <hr>
1.10 ! deraadt 120: <a href=/index.html><img src=/back.gif border=0 alt=OpenBSD></a>
! 121: <a href=mailto:www@openbsd.org>www@openbsd.org</a>
! 122: <br>
! 123: <small>$OpenBSD: index.html,v 1.24 1998/02/22 10:19:23 deraadt Exp $</small>
1.1 deraadt 124:
1.10 ! deraadt 125: </body>
! 126: </html>