Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardware Crypto Support In OpenBSD

Posted by Nik on from the NP:-Are-we-a-rock-band-or-what? dept.

As seen on the OpenBSD -announce list, OpenBSD now has hardware cryptographic support to boost IPSEC performance. "Currently, only cards using the HiFn 7751 chip can be used. This Hifn chip is an IPSEC-oriented DES/3DES and SHA1/MD5 hmac engine; ie. only symmetric cryptography..&nbsp.we are getting 63.12Mb/s 3des/sha1 ESP IPSEC. That's documented as the top performance the chip can provide. In other words, we're pretty damn impressed at ourselves." Read on for more from the message, or go straight to the OpenBSD Hardware Crypto page.

"Further work will now happen. We wish to support other products (ie. IRE, Bluesteelnet, perhaps even 3COM or PCC-ISES if they would open their minds). Some crypto chip vendors are being extremely friendly to us. If anyone wants to help write drivers, get in touch."

We also hope to add more parts to our cryptography framework so that it can supply RSA/DSA type operations for chips that support that, so that OpenSSL can use the framework, and thus enhancing everything from https to ssh performance. We have grand schemes in mind."

"If you order a card from www.powercrypt.com, tell them you intend to use it with OpenBSD. I have heard rumours they are allowed to export it."

"Most of this work was done by Jason Wright and Angelos Keromytis."

1 of 65 comments (clear)

  1. Re:Does IPSEC obsolete SSH/SSL/etc? by William+Tanksley · · Score: 4

    Hmm. Well, the problem is that a network link is rather connection-oriented; it only encrypts stuff going from your machine to another specific one.

    If you try to visit any other sites, as when web browsing, you're not using the secured link any more, so you have to negotiate a new one.

    The main use for this type of technology is VPNs: two seperate buildings full of computers which want to be on the same network, but which want to use the internet (cheap) rather than a leased line (expensive). In that case, we simply plug one of these 7751 boards into the routers in each building, and tell the routers to encrypt when talking to each other. None of the users need know that they're being protected :).

    -Billy