-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathcrypto.html
499 lines (449 loc) · 22.2 KB
/
crypto.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<link rev="made" href="mailto:[email protected]">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="resource-type" content="document">
<meta name="description" content="OpenBSD cryptography">
<meta name="keywords" content="openbsd,cryptography,openssh,openssl,kerberos">
<meta name="keywords" content="ipsec,isakmp,ike,blowfish,des,rsa,dsa">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997-2006 by OpenBSD.">
<title>Cryptography in OpenBSD</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#23238e">
<img align="left" alt="[OpenBSD]" height="166" width="197" src="images/blowfish-notext.jpg">
<br>
<br>
<br>
"The mantra of any good security engineer is: "Security is not a
product, but a process." It's more than designing strong cryptography
into a system; it's designing the entire system such that all security
measures, including cryptography, work together."<br>
<br>
-- Bruce Schneier, author of "Applied Cryptography".
<br clear="all">
<h2><font color="#e00000">Cryptography</font></h2>
<hr>
<strong>Index</strong><br>
<a href="#why">Why do we ship cryptography?</a>.<br>
<a href="#ssh">OpenSSH</a>.<br>
<a href="#prng">Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br>
<a href="#hash">Cryptographic Hash Functions</a>: MD5, SHA1, ...<br>
<a href="#trans">Cryptographic Transforms</a>: DES, Blowfish, ...<br>
<a href="#hardware">Cryptographic Hardware support</a><br>
<a href="#people">International Cryptographers wanted</a><br>
<a href="#papers">Further Reading</a><br>
<p>
<hr>
<a name="why"></a>
<h3><font color="#e00000">Why do we ship cryptography?</font></h3><p>
In three words: <strong>because we can</strong>.<p>
The OpenBSD project is based in Canada.<p>
The <a href="ECL.html">Export Control List of Canada</a>
places no significant restriction on the export of
cryptographic software, and is even more explicit about the free
export of freely-available cryptographic software. Marc Plumb has
done
<a href="http://www.efc.ca/pages/doc/crypto-export.html">
some research to test the cryptographic laws</a>.
<p>
Hence the OpenBSD project has embedded cryptography into numerous places
in the operating system. We require that the cryptographic software we
use be <a href="policy.html">freely available and with good licenses</a>.
We do not directly use cryptography with nasty patents.
We also require that such software is from countries with useful export
licenses because we do not wish to break the laws of any country.
The cryptographic software components which we use currently were
written in Argentina, Australia, Canada, Germany, Greece, Norway, and
Sweden.
<p>
When we create OpenBSD releases or snapshots we build our release
binaries in free countries to assure that the sources and binaries we
provide to users are free of tainting. In the past our release binary
builds have been done in Canada, Sweden, and Germany.<p>
OpenBSD ships with Kerberos V included. The codebase we use is the
exportable Heimdal release from Sweden. Our X11 source has been
extended to make use of Kerberos as well.<p>
<img align="right" src="images/vpnc-test-partner.gif" alt="VPNC TEST PARTNER">
OpenBSD was the first operating system to ship with an IPsec stack.
We've been including IPsec since the OpenBSD 2.1 release in 1997.
Our fully conformant in-kernel IPsec stack, with hardware acceleration
based on a number of cards, and our own free ISAKMP daemon, is used as
one of the machines in the IPsec conformance testbed run by
<a href="http://www.vpnc.org">VPNC</a>.
<br clear="all">
<p>
Today cryptography is an important means for enhancing the <a
href="security.html">security</a> of an operating system. The
cryptography utilized in OpenBSD can be classified into various
aspects, described as follows.<p>
<a name="ssh"></a>
<h3><font color="#e00000">OpenSSH</font></h3><p>
As of the 2.6 release, OpenBSD contains
<a href="http://www.openssh.com/">OpenSSH</a>, an absolutely free and
patent unencumbered version of ssh.
<a href="http://www.openssh.com/">OpenSSH</a> interoperated with ssh
version 1 and had many added features,
<ul>
<li>
all components of a restrictive nature (i.e., patents, see
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&sektion=8">ssl(8)</a>)
had been directly removed from the source code; any licensed or
patented components used external libraries.
<li>
had been updated to support ssh protocol 1.5.
<li>
contained added support for Kerberos authentication and ticket passing.
<li>
supported one-time password authentication with
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&sektion=1">skey(1)</a>.
</ul>
<p>
Roughly said, we took a free license release of ssh, OpenBSD-ifyed it.
About a year later, we extended OpenSSH to also do SSH 2 protocol, the
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0.
<a name="prng"></a>
<h3><font color="#e00000">Pseudo Random Number Generators</font></h3><p>
A Pseudo Random Number Generator (PRNG) provides applications with a stream of
numbers which have certain important properties for system security:<p>
<ul>
<li>It should be impossible for an outsider to predict the output of the
random number generator even with knowledge of previous output.
<li>The generated numbers should not have repeating patterns which means
the PRNG should have a very long cycle length.
</ul>
<p>
A PRNG is normally just an algorithm where the same initial starting
values will yield the same sequence of outputs. On a multiuser
operating system there are many sources which allow seeding the PRNG
with random data. The OpenBSD kernel uses the mouse interrupt timing,
network data interrupt latency, inter-keypress timing and disk IO
information to fill an entropy pool. Random numbers are available for
kernel routines and are exported via devices to userland programs.
So far random numbers are used in the following places:<p>
<ul>
<li>Dynamic sin_port allocation in bind(2).
<li>PIDs of processes.
<li>IP datagram IDs.
<li>RPC transaction IDs (XID).
<li>NFS RPC transaction IDs (XID).
<li>DNS Query-IDs.
<li>Inode generation numbers, see getfh(2) and fsirand(8).
<li>Timing perturbance in traceroute(8).
<li>Stronger temporary names for mktemp(3) and mkstemp(3)
<li>Randomness added to the TCP ISS value for protection against
spoofing attacks.
<li>random padding in IPsec esp_old packets.
<li>To generate salts for the various password algorithms.
<li>For generating fake S/Key challenges.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>
to provide liveness proof of key exchanges.
</ul>
<p>
<a name="hash"></a>
<h3><font color="#e00000">Cryptographic Hash Functions</font></h3><p>
A Hash Function compresses its input data to a string of
constant size. For a Cryptographic Hash Function it is infeasible to find:
<ul>
<li>two inputs which have the same output (collision resistant),
<li>a different input for a given input with the same output
(2nd preimage resistant).
</ul>
<p>
In OpenBSD MD5, SHA1, and RIPEMD-160 are used as Cryptographic Hash Functions,
e.g:<p>
<ul>
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&sektion=1">S/Key(1)</a>
to provide one time passwords.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&sektion=4">IPsec(4)</a>
and
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>
to authenticate the data origin of packets and to ensure packet integrity.
<li>For FreeBSD-style MD5 passwords (not enabled by default), see
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf&sektion=5">
login.conf(5)</a>
<li>In libssl for digital signing of messages.
</ul>
<p>
<p>
<a name="trans"></a>
<h3><font color="#e00000">Cryptographic Transforms</font></h3><p>
Cryptographic Transforms are used to encrypt and decrypt data. These
are normally used with an encryption key for data encryption and with
a decryption key for data decryption. The security of a Cryptographic
Transform should rely only on the keying material.<p>
OpenBSD provides transforms like DES, 3DES, Blowfish and Cast for the
kernel and userland programs, which are used in many places like:<p>
<ul>
<li>In libc for creating
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=blf_key&sektion=3">Blowfish</a>
passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a>
on this topic.
<li>In
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&sektion=4">IPsec(4)</a>
to provide confidentiality for the network layer.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>
to protect the exchanges where IPsec key material is negotiated.
<li>In libssl to let applications communicate over the de-facto standard
cryptographically secure SSL protocol.
</ul>
<p>
<a name="hardware"></a>
<h3><font color="#e00000">Cryptographic Hardware Support</font></h3><p>
OpenBSD, starting with 2.7, has begun supporting some cryptography hardware
such as accelerators and random number generators.
<ul>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&sektion=9">
IPsec crypto dequeue</a></b><br>
Our IPsec stack has been modified so that cryptographic functions get
done out-of-line. Most simple software IPsec stacks need to do
cryptography when processing each packet. This results in synchronous
performance. To use hardware properly and speedily one needs to separate
these two components, as we have done. Actually, doing this gains some
performance even for the software case.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&sektion=4">
Hifn 7751</a></b><br>
Cards using the Hifn 7751 can be used as a symmetric cryptographic
accelerator, i.e., the
<a href="http://www.soekris.com/vpn1201.htm">Soekris VPN1201 or VPN1211</a>
(<a href="http://www.soekris.com/how_to_buy.htm">to buy</a>)
or
<a href="http://www.powercrypt.com">PowerCrypt</a>.
Current performance using a single Hifn 7751 on each end of a tunnel
is 64Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over
using a P3/550 CPU. Further improvements are under way to resolve a
few more issues, but as of April 13, 2000 the code is considered
stable. We wrote our own driver for supporting this chip, rather
than using the (USA-written)
<a href="http://www.powercrypt.com">PowerCrypt</a> driver, as well
our driver links in properly to the IPsec stack.
The 7751 is now considered slow by industry standards and many vendors
have faster chips (even Hifn now has a faster but more expensive
chip). Peak performance with 3DES SHA1 ESP is around 64Mbit/sec.
<p>
After 2.9 shipped, support was added for the Hifn 7951 chip, a
simplified version of the 7751 which adds a public key accelerator
(unsupported) and a random number generator (supported). Cards
were donated by <a href="http://www.soekris.com/">Soekris Engineering</a>.
<p>
After 3.0 shipped, support was added for the Hifn 7811 chip, a
faster version of the 7751 (around 130Mbit/s) with a random number
generator. A card was donated by <a href="http://www.gtgi.com/">GTGI</a>.
<p>
After 3.2 shipped, support was added for the LZS compression algorithm
used by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipcomp&sektion=4">ipcomp(4)</a>.
<p>
After 3.4 shipped, support was added for the 7955 and 7956 chips.
In addition to all the features of the previous 7951 chip, these add AES.
<p>
Hifn was initially a difficult company to deal with (threatening to sue
us over our non-USA reverse engineering of their crypto unlock algorithm),
but more recently they have been very helpful in providing boards and
support.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lofn&sektion=4">
Hifn 6500</a></b><br>
This device is an asymmetric crypto unit. It has support for RSA, DSA,
and DH algorithms, as well as other major big number functions. It also
contains a very high performance random number generator. We have one
device, full documentation, and sample code. As of OpenBSD 3.1,
both the random number generator and big number unit are working.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nofn&sektion=4">
Hifn 7814/7851/7854</a></b><br>
This device is a packet processor and asymmetric crypto unit. It has
support for RSA, DSA, and DH algorithms, as well as other major big number
functions and also has a random number generator. Currently, only the
big number engine and the random number generator are supported (no
packet transforms).
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ubsec&sektion=4">
Broadcom BCM5801/BCM5802/BCM5805/BCM5820/BCM5821/BCM5822/5823/5825/5860/5861/5862
(or beta chip Bluesteelnet 5501/5601)</a></b><br>
Just after the OpenBSD 2.7 release, we succeeded at adding preliminary
support for these early release parts provided to us by the vendor,
specifically starting with the test chip 5501.
These devices provide the highest performance symmetric cryptography
we have seen.
<p>
Bluesteelnet was bought by Broadcom and started making real parts.
Their new BCM5805 is similar, except that they also add an asymmetric
engine for running DSA, RSA, and other such algorithms. With approximate
performance starting at more than four times as fast as the Hifn,
hopefully this chip will become more common soon.
<p>
The Broadcom/Bluesteelnet people have been great to deal with. They gave
us complete documentation and sample code for their chips and a
sufficient number of cards to test with.
<p>
Post 2.8, this driver was also modified to generate random numbers on
the BCM5805 and similar versions, and feed that data into the kernel
entropy pool.
<p>
Post 2.9, support was added for the BCM5820, which is mostly just a
faster (64bit, higher clock speed) version of the BCM5805. Untested
support for the BCM5821 was also added post 3.0.
<p>
As of 3.1, the big num engine is supported, and RSA/DH/DSA operations
can be accelerated.
<p>
Support for the BCM5801, BCM5802, BCM5821 and BCM5822 was added before
OpenBSD 3.2 (the untested BCM5821 support in 3.1 was broken because of
some undocumented interrupt handling requirements).
<p>
Partial support for BCM5823 was added for 3.4.
<p>
Support for the BCM5825, BCM5860, BCM5861, and BCM5862 including support
for AES with the BCM5823 or newer was added after 4.5.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&sektion=4">
Securealink PCC-ISES</a></b><br>
The <a href="http://www.safenet-inc.com/technology/chips/safexcel_ises.asp">
PCC-ISES</a> is a new chipset from the Netherlands. We have received
sample hardware and documentation, and work on a driver is in progress.
At the moment, the driver is capable of feeding random numbers into
the kernel entropy pool.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=safe&sektion=4">
SafeNet SafeXcel 1141/1741</a></b><br>
After 3.4 shipped, support was for added for these two chips (found on various
<a href="http://www.safenet-inc.com/products/accCards/">SafeNet</a>
crypto cards. Supports DES, Triple-DES, AES, MD5, and SHA-1 symmetric crypto
operations, RNG, public key operations, and full IPsec packet processing.
<p>
<li><b>SafeNet SafeXcel 1840</b><br>
We have received documentation and sample hardware for the
<a href="http://www.safenet-inc.com/products/chips/safeXcel1840.asp">SafeNet 1840</a>
crypto chip. Work to support at least the RNG and symmetric cryptography of
these devices has started.
<p>
<li><b>SafeNet SafeXcel 2141</b><br>
We have received documentation and sample hardware for the
<a href="http://www.safenet-inc.com/products/chips/safeXcel2141.asp">SafeNet 2141</a>
crypto chip. Work to support at least the symmetric cryptography of
these devices has started.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=txp&sektion=4">
3com 3cr990</a></b><br>
3com gave us a driver to support the ethernet component of this chipset,
and based on that, we have written our own ethernet driver. This driver
has now been integrated once we were able to get a free license on the
microcode. Due to poor documentation and lack of cooperation (partly
because of the high turnover rates at 3Com), the IPsec functions of the
chip are not supported.... so this turned out to be a less than completely
useful exercise.
<p>
<li><b>Intel IPsec card</b><br>
Much like Intel does for all their networking division components, and
completely unlike most other vendors, Intel steadfastly refuses to provide
us with documentation. We have talked to about five technical people who
are involved in the development of those products. They all want us to
have documentation. They commend us on what we have done. But their hands
are tied by management who does not perceive a benefit to themselves for
providing documentation. Forget about Intel. (If you want to buy gigabit
ethernet hardware, we recommend anything else... for the same reason:
most drivers we have for Intel networking hardware were written without
documentation).
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4">
Intel 82802AB/82802AC Firmware Hub RNG</a></b><br>
The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards)
contains a random number generator (RNG). High-performance IPsec
requires more random number entropy. As of April 10, 2000, we support
the RNG. We will add support for other RNGs found on crypto chips.
<p>
<li><b>VIA C3 RNG</b><br>
The newer VIA C3 CPU contains a random number generator as an instruction.
As of <a href="33.html">3.3</a> this random number generator is used
inside the kernel to feed the entropy pool.
<p>
<li><b>VIA C3 AES instructions</b><br>
VIA C3 CPUs with a step 8 or later Nehemiah core contains an AES
implementation accessible via simple instructions. As of <a
href="34.html">3.4</a> the kernel supports them to be used in an
IPsec context and exported by <tt>/dev/crypto</tt>. As of <a
href="35.html">3.5</a> performances have been greatly improved
and OpenSSL now uses the new instruction directly when available
without the need to enter the kernel, resulting in vastly
improved speed (AES-128 measured at 780MByte/sec) for applications
using OpenSSL to perform AES encryption.
<p>
<li><b>OpenSSL</b><br>
Years ago, we had a grand scheme to support crypto cards that can do
RSA/DH/DSA automatically via OpenSSL calls. As of OpenBSD 3.2, that
support works, and any card that is supported with such functionality
will automatically use the hardware, including OpenSSH and httpd in
SSL mode. No application changes are required.
</ul>
<p>
<b>If people wish to help with writing drivers,
<a href="#people">come and help us</a>.</b>
<p>
<a name="people"></a>
<h3><font color="#e00000">International Cryptographers Wanted</font></h3><p>
Of course, our project needs people to work on these systems. If any
non-American cryptographer who meets the constraints listed earlier is
interested in helping out with embedded cryptography in OpenBSD,
please contact us.<p>
<p>
<a name="papers"></a>
<h3><font color="#e00000">Further Reading</font></h3><p>
A number of papers have been written by OpenBSD team members, about
cryptographic changes they have done in OpenBSD. The postscript
versions of these documents are available as follows.<p>
<ul>
<li>A Future-Adaptable Password Scheme.<br>
<a href="events.html#usenix99">Usenix 1999</a>,
by <a href="mailto:[email protected]">Niels Provos</a>,
<a href="mailto:[email protected]">David Mazieres</a>.<br>
<a href="papers/bcrypt-paper.ps">paper</a> and
<a href="papers/bcrypt-slides.ps">slides</a>.
<p>
<li>Cryptography in OpenBSD: An Overview.<br>
<a href="events.html#usenix99">Usenix 1999</a>,
by <a href="mailto:[email protected]">Theo de Raadt</a>,
<a href="mailto:[email protected]">Niklas Hallqvist</a>,
<a href="mailto:[email protected]">Artur Grabowski</a>,
<a href="mailto:[email protected]">Angelos D. Keromytis</a>,
<a href="mailto:[email protected]">Niels Provos</a>.<br>
<a href="papers/crypt-paper.ps">paper</a> and
<a href="papers/crypt-slides.ps">slides</a>.
<p>
<li>Implementing Internet Key Exchange (IKE).<br>
<a href="events.html#usenix2000">Usenix 2000</a>,
by <a href="mailto:[email protected]">Niklas Hallqvist</a> and
<a href="mailto:[email protected]">Angelos D. Keromytis</a>.<br>
<a href="papers/ikepaper.ps">paper</a> and
<a href="papers/ikeslides.ps">slides</a>.
<p>
<li>Encrypting Virtual Memory.<br>
<a href="events.html#sec2000">Usenix Security 2000</a>,
<a href="mailto:[email protected]">Niels Provos</a>.<br>
<a href="papers/swapencrypt.ps">paper</a> and
<a href="papers/swapencrypt-slides.ps">slides</a>.
<p>
<li>The Design of the OpenBSD Cryptographic Framework.<br>
<a href="events.html#usenix2003">Usenix 2003</a>, by
<a href="mailto:[email protected]">Angelos D. Keromytis</a>,
<a href="mailto:[email protected]">Jason L. Wright</a>, and
<a href="mailto:[email protected]">Theo de Raadt</a>.<br>
<a href="papers/ocf.pdf">paper</a>.
<p>
<li>Cryptography As an Operating System Service: A Case Study.<br>
<a href="http://www.acm.org/tocs/">ACM Transactions on Computer Systems</a>,
February 2006, by
<a href="mailto:[email protected]">Angelos D. Keromytis</a>,
<a href="mailto:[email protected]">Jason L. Wright</a>, and
<a href="mailto:[email protected]">Theo de Raadt</a>.<br>
<a href="papers/crypt-service.pdf">paper</a>.
</ul>
<p>
<hr>
<a href="index.html"><img height="24" width="24" src="back.gif" border="0" alt="OpenBSD"></a>
<a href="mailto:[email protected]">[email protected]</a>
<br>
<small>$OpenBSD: crypto.html,v 1.137 2013/03/25 17:37:43 deraadt Exp $</small>
</body>
</html>