Slashdot Mirror
Hardware Crypto Support In OpenBSD
"Further work will now happen. We wish to support other products (ie. IRE, Bluesteelnet, perhaps even 3COM or PCC-ISES if they would open their minds). Some crypto chip vendors are being extremely friendly to us. If anyone wants to help write drivers, get in touch."
We also hope to add more parts to our cryptography framework so that it can supply RSA/DSA type operations for chips that support that, so that OpenSSL can use the framework, and thus enhancing everything from https to ssh performance. We have grand schemes in mind."
"If you order a card from www.powercrypt.com, tell them you intend to use it with OpenBSD. I have heard rumours they are allowed to export it."
"Most of this work was done by Jason Wright and Angelos Keromytis."
This is why many people don't use OpenBSD. They don't like to be proactive about security, even minorly so. Or they don't see the point. And if it doesn't suit them, they think they have to search for a reason to use it.
Look, are you afraid of remote logins? Data protection? Connecting securely to another machine? Then this might prove useful. To others, it may not be because they interoperate in a world where no one really gives a *real* damn about security (I mean beyond the lip service you get from several Linux distros (e.g. Redhat), MS products, etc.).
If anything, it isn't so you "hide" something. It can be simply an added layer of protection so your Linux or BSD box doesn't become some bouncing off point for attacks to other boxes, reducing your possible liability (I don't mean necessarily legal ones either; I don't want the feds blasting down my door because they *think* I'm the one hitting a machine when in reality someone hacked into it first).
--
Pronounce Linux as "LIE NUX": it's more representative of the community and the OS because of the way it sounds. It has the word "Lie" in it and rhymes with the word "Sucks."
Except that I can't find out how DES was developed. Oh sure I have the source, but it contains tables and tables and tables of magic numbers! The choice of the values for the S boxes and why and how those choices were made is **still** classified! Why? In the interests of my own security, I have no choice but to assume that it was to leave in some weak back door to the data that Feds (and any h4xx0r who stumbles upon the same trick) can quickly exploit at any time.
The problem is that nothing else is as well-explored; all of the "NSA-safe" algorithms are too new to have been properly dug through.
But at least other algorithms *can* be explored. There's no magic unexplainable source code in there. And I trust many crypto experts around the globe saying [crypto-method] is secure based on examining the algorithm than I do the gov't telling me DES is secure "because we say it's secure but won't tell you why". Besides, the DOJ/FBI never did crack Kevin Mitnick's blowfished files. And for that, they refuse to return his equipment to him on the grounds that it "might" (excuse me?) contain illegally obtained data.
In browsing the web sites mentioned, I don't see pricing/availability info on the actual hardware, only mention that "we OEM."
Are there vendors actually selling these in "consumer" quantities?
If you're not part of the solution, you're part of the precipitate.
Except that I can't find out how DES was developed. Oh sure I have the source, but it contains tables and tables and tables of magic numbers! The choice of the values for the S boxes and why and how those choices were made is **still** classified! That's true, and should have an impact on the decision process -- but again, we've been eyeballing those S-boxes for a LONG time, and we've found a lot of their characteristics -- and all of them we've found so far indicate that they're _strong_, not weak. But at least other algorithms *can* be explored. There's no magic unexplainable source code in there. Now, what would make you say _that_? The fact that you haven't studied crypto? _All_ of the other algorithms contain incompletely understood mathematics. Even RC4, a model of beauty, simplicity, and NO magic numbers, is a black box mathematically. And I trust many crypto experts around the globe saying [crypto-method] is secure based on examining the algorithm Ahem. Fire them. All of them. Any crypto expert telling you an algorithm is "secure" is LYING. Okay, there's ONE exception: one-time-pad. And that's impractical. than I do the gov't telling me DES is secure "because we say it's secure but won't tell you why" Well, they don't do that -- but there _are_ hundreds and even thousands of cryptographers who have focussed on DES for years and years, and who have found not only no holes, but have found that holes which are present in other similar algorithms are absent in DES. Besides, the DOJ/FBI never did crack Kevin Mitnick's blowfished files. If they had a secret method for craching DES, would they have admitted it? Certainly not. Blowfish is more likely, since admitting that wouldn't collapse the banking system, but it's still unlikely, since if they can crack it they'll want to save the secrecy for someone they don't have control over. Mitnick is nothing. -Billy
When the diffrential-cryptoanalsis attack came out in the mid-90s DES was one of the few cyphers that were extreamly resistant to it. DES with the old pre-NSA-change S-Boxes was very weak against the "new" attack.
There were many people who beleved that
There is no reason to beleve that the S-Box change made DES weaker. The again there is no reason to beleve that it didn't. Or wasn't breakable by some other means the NSA knew about, and they wanted to fix the S-Boxes because they thought some other goverment knew how to attack them.
It's a hard field to make a right choice in, only in part because paranoia is actually a good mindset to be in when doing crypto think. I beleve 3DES is relitavly safe. But I don't know. I'll feel much better after we have 5+ years of experiance with whatever cypher wins the AES selection process.
If your network link is encrypted, is there any reason for encrypted applications like ssh, https, and friends? It seems the answer would be no, but I'm not an expert.
SSLv2, SSLv3 and TLS all support DES and 3DES (according to the installed ciphers in my copy of Opera 3.62 on Windows). So this chip will help with this bit of SSL, once the initial key exchange stuff is done; no doubt an accelerator that supported the key exchanges better would be faster.
This would be a good chip to use for IPSec VPNs with pre-shared keys - OpenBSD comes with IPSec as standard these days, so it could make a nice firewall/VPN gateway combo. I believe quite a few router manufacturers use Hi/fn chips, so it should be fairly good.
I've always wanted a encryptor/decryptor board that is a huge FPGA or similar with a PCI busmaster interface. It would be better if it could hold a large number of differnt keys that the OS then can control the setting and use of. The key space would be write only memory so they can't be read back by any process. Only written to. The board would operate in burst mode when takling on the PCI bus. It would transfer in a block of memory, encrypt it, then burst mode transfer it out. It's operation would be much like a DMA controller, but with the encryption added in. By using a FPGA one can change the programming of the board as new methods come out. One would need a program protect jumper, but that is easy to do.
-----------
"You can't shake the Devil's hand and say you're only kidding."
This won't help SSL because SSL uses a different
type of crypto made of up several parts.
SSL can use DES (not DES-3 but a DES-3 engine should be able to do DES). SSL also uses MD5 and SHA which this device can do so maybe that would help some. The chip does not do the public key things that are required for cert signing and inital key exchange. Once the keys have been exchanged the hardware might be able to speed up some of the other bits but the overhead to talk to the card may be more than its worth.
Yeah...that would almost be as bad as giving your credit card to, say, a waiter or something where they can take it away and look at it!
I'm just kidding, but I find it kind of interesting that people are willing to hand the piece of plastic over the several people each day, but not transmit it in the clear over the net, where it's far less likely anyone is looking. I say, if you're going to be anal about your credit card numbers, you should be anal in all situations. Of course, that would make it nearly impossible to use the things. Catch 22? Who knows...
IPSec can tell you what machine you're talking to, but not which user AFAIK. So it isn't as powerful as ssh's RSA authentication or SSL client certificates.
Will these crypto chips still be a good idea when AES comes out? It's going to be much faster than 3DES.
3DES is not known to have exploitable weaknesses. If you have a choice between 3DES and anything else, the current choice is 3DES.
The problem is that nothing else is as well-explored; all of the "NSA-safe" algorithms are too new to have been properly dug through.
I personally like RC4 more than DES-type algorithms, but it's even less understood. Twofish is an impressive algorithm as well, but again, its review process has only started. When (if) it becomes AES, then it'll have enough attacks to make it worth considering.
-Billy
The sad part is, even in meta-moderation these mismoderated points won't be corrected. If they hate BSD while moderating, why would their friends who are meta-moderating be any different
Because metamoderation involves random selection rather than self-selection. Only people "interested" in BSD (or Hi/fn, or HW encryption) will be attracted to this story, and unfortunately there are simply more people negatively than positively interested right now. Hopefully, the random selection involved in metamoderation will result in a more "disinterested" (i.e. impartial) group of people.
-Billy
This particular chip (Hi/fn 7751) was designed and tested to accelerate SSL, so I suspect it won't have a problem there. I've put a couple of million SSL packets through it (give or take a million, who's counting).
-Billy
This would give the BSD's more ground on large
e-commerce websites, since hardware crypto is usually used when you need to reduce the load
on a loaded ssl server. I say the BSD's because this is likely to be ported over to the rest too
Cool...
FreeBSD.... The Daemon Made me do it
Further work will now happen. We wish to support other products (ie. IRE, Bluesteelnet, perhaps even 3COM or PCC-ISES if they would open their minds). Some crypto chip vendors are being extremely friendly to us. If anyone wants to help write drivers, get in touch.
In case anyone cares, specs for the VLSI (Philips) VSC115 are published. Pretty nice performance specs. The official policy is to support Linux driver development for new products, but the details are still in the works and BSD is (alas) not a priority.
Lacking <sarcasm> tags,
there are press releases talking about this on the Hi/fn press release page.
how long, do you suppose, before someone makes a keyboard that ssh's (or use some equivalent measure to encrypt all traffic between the keyboard and computer) to the computer, so that the truly paranoid can feel a little less worried about someone planting a KeyGhost on a machine when they're not looking? or is that way too paranoid?
-------------------- the list is long. dirac angestung gesept