Cryptography in OpenBSD

Cryptography

Index
SSH soon built into OpenBSD base code.
Why do we ship cryptography?.
Pseudo Random Number Generators (PRNG): ARC4, ...
Cryptographic Hash Functions: MD5, SHA1, ...
Cryptographic Transforms: DES, Blowfish, ...
International Cryptographers wanted
Further Reading

Why do we ship cryptography?

In three words: because we can.

The OpenBSD project is based in Canada.

The Export Control List of Canada places no significant restriction on the export of cryptographic software, and is even more explicit about the free export of freely-available cryptographic software. Marc Plumb has done some research to test the cryptographic laws.

Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country. The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden.

When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting. In the past our release binary builds have been done in Canada, Sweden, and Germany.

OpenBSD ships with Kerberos IV included. The codebase we use is the exportable KTH-based release from Sweden. Our X11 source has been extended to make use of Kerberos IV as well. Kerberos V support will perhaps appear in 1999, but at present time a freely exportable Kerberos V release does not exist.

Today cryptography is an important means for enhancing the security of an operating system. The cryptography utilized in OpenBSD can be classified into three different aspects, which will be described later.

SSH soon built into OpenBSD base code

What do most people do right after they install OpenBSD?

They install Secure Shell (SSH) from the ports tree or the packages on the CD-ROM. Until now, that is.

This is still very much a work in progress, but we found an innovative way around the RSA patent. We are taking a free license release of SSH and OpenBSD-ifying it.

We get around the US-based RSA patent by letting end users selectively download the correct libssl file for their location (US resident or not).

Pseudo Random Number Generators

A Pseudo Random Number Generator (PRNG) provides applications with a stream of numbers which have certain important properties for system security:

It should be impossible for an outsider to predict the output of the random number generator even with knowledge of previous output.
The generated numbers should not have repeating patterns which means the PRNG should have a very long cycle length.

A PRNG is normally just an algorithm where the same initial starting values will yield the same sequence of outputs. On a multiuser operating system there are many sources which allow seeding the PRNG with random data. The OpenBSD kernel uses the mouse interrupt timing, network data interrupt latency, inter-keypress timing and disk IO information to fill an entropy pool. Random numbers are available for kernel routines and are exported via devices to userland programs. So far random numbers are used in the following places:

Dynamic sin_port allocation in bind(2).
PIDs of processes.
IP datagram IDs.
RPC transaction IDs (XID).
NFS RPC transaction IDs (XID).
DNS Query-IDs.
Inode generation numbers, see getfh(2) and fsirand(8).
Timing perturbance in traceroute(8).
Stronger temporary names for mktemp(3) and mkstemp(3)
Randomness added to the TCP ISS value for protection against spoofing attacks.
random padding in IPSEC esp_old packets.
To generate salts for the various password algorithms.
For generating fake S/Key challenges.
In photurisd and isakmpd to provide liveness proof of key exchanges.

Cryptographic Hash Functions

A Hash Function compresses its input data to a string of constant size. For a Cryptographic Hash Function it is infeasible to find:

two inputs which have the same output (collision resistant),
a different input for a given input with the same output (2nd preimage resistant).

In OpenBSD MD5, SHA1, and RIPEMD-160 are used as Cryptographic Hash Functions, e.g:

In S/Key to provide one time passwords.
In IPsec, photurisd and isakmpd(8) to authenticate the data origin of packets and to ensure packet integrity.
For FreeBSD-style MD5 passwords (not enabled by default), see passwd.conf(5)
For TCP SYN cookie support (not enabled by default), see options(4)
In libssl for digital signing of messages.

Cryptographic Transforms

Cryptographic Transforms are used to encrypt and decrypt data. These are normally used with an encryption key for data encryption and with a decryption key for data decryption. The security of a Cryptographic Transform should rely only on the keying material.

OpenBSD provides transforms like DES, 3DES, Blowfish and Cast for the kernel and userland programs, which are used in many places like:

In libc for creating Blowfish passwords. See also the USENIX paper on this topic.
In IPsec to provide confidentiality for the network layer.
In Kerberos and a handful of kerberized applications, like telnet, cvs, rsh, rcp, and rlogin.
In photurisd and isakmpd to protect the exchanges where IPsec key material is negotiated.
In AFS to protect the messages passing over the network, providing confidentiality of remote filesystem access.
In libssl to let applications communicate over the de-facto standard cryptographically secure SSL protocol.

International Cryptographers Wanted

Of course, our project needs people to work on these systems. If any non-American cryptographer who meets the constraints listed earlier is interested in helping out with embedded cryptography in OpenBSD, please contact us.