-
Notifications
You must be signed in to change notification settings - Fork 43
/
crypto.html
139 lines (121 loc) · 5.04 KB
/
crypto.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
<!doctype html>
<html lang=en>
<meta charset=utf-8>
<title>OpenBSD: Cryptography</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/crypto.html">
<style>
h3 {
color: var(--red);
}
</style>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
Cryptography
</h2>
<hr>
<h3 id="why">Why do we ship cryptography?</h3>
<p>
In three words: <strong>because we can</strong>.
<p>
The OpenBSD project is based in Canada.
<p>
The <a href="ECL.html">Export Control List of Canada</a>
places no significant restriction on the export of
cryptographic software, and is even more explicit about the free
export of freely-available cryptographic software. Marc Plumb has
done
<a href="http://www.efc.ca/pages/doc/crypto-export.html">
some research to test the cryptographic laws</a>.
<p>
Hence the OpenBSD project has embedded cryptography into numerous places
in the operating system. We require that the cryptographic software we
use be <a href="policy.html">freely available and with good licenses</a>.
We do not directly use cryptography with nasty patents.
We also require that such software is from countries with useful export
licenses because we do not wish to break the laws of any country.
<p>
OpenBSD was the first operating system to ship with an IPsec stack.
We've been including IPsec since the OpenBSD 2.1 release in 1997.
<h3 id="ssh">OpenSSH</h3>
<p>
As of the 2.6 release, OpenBSD contains
<a href="https://www.openssh.com/">OpenSSH</a>, an absolutely free and
patent unencumbered version of ssh.
<a href="https://www.openssh.com/">OpenSSH</a> interoperated with ssh
version 1 and had many added features,
<ul>
<li>
all components of a restrictive nature (i.e., patents, see
<a href="https://man.openbsd.org/?query=ssl&sektion=8">ssl(8)</a>)
had been directly removed from the source code; any licensed or
patented components used external libraries.
<li>
had been updated to support ssh protocol 1.5.
<li>
supported one-time password authentication with
<a href="https://man.openbsd.org/?query=skey&sektion=1">skey(1)</a>.
</ul>
<p>
Roughly said, we took a free license release of ssh, OpenBSD-ifyed it.
About a year later, we extended OpenSSH to also do SSH 2 protocol, the
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0.
<h3 id="people">International Cryptographers Wanted</h3>
<p>
Of course, our project needs people to work on these systems. If any
non-American cryptographer who meets the constraints listed earlier is
interested in helping out with embedded cryptography in OpenBSD,
please contact us.
<h3 id="papers">Further Reading</h3>
<p>
A number of papers have been written by OpenBSD team members, about
cryptographic changes they have done in OpenBSD. The postscript
versions of these documents are available as follows.
<ul>
<li>A Future-Adaptable Password Scheme.<br>
<a href="events.html#usenix99">Usenix 1999</a>,
by <a href="mailto:provos@openbsd.org">Niels Provos</a>,
<a href="mailto:dm@openbsd.org">David Mazieres</a>.<br>
<a href="papers/bcrypt-paper.ps">paper</a> and
<a href="papers/bcrypt-slides.ps">slides</a>.
<p>
<li>Cryptography in OpenBSD: An Overview.<br>
<a href="events.html#usenix99">Usenix 1999</a>,
by <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>,
<a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a>,
<a href="mailto:art@openbsd.org">Artur Grabowski</a>,
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
<a href="papers/crypt-paper.ps">paper</a> and
<a href="papers/crypt-slides.ps">slides</a>.
<p>
<li>Implementing Internet Key Exchange (IKE).<br>
<a href="events.html#usenix2000">Usenix 2000</a>,
by <a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a> and
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>.<br>
<a href="papers/ikepaper.ps">paper</a> and
<a href="papers/ikeslides.ps">slides</a>.
<p>
<li>Encrypting Virtual Memory.<br>
<a href="events.html#sec2000">Usenix Security 2000</a>,
<a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
<a href="papers/swapencrypt.ps">paper</a> and
<a href="papers/swapencrypt-slides.ps">slides</a>.
<p>
<li>The Design of the OpenBSD Cryptographic Framework.<br>
<a href="events.html#usenix2003">Usenix 2003</a>, by
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
<a href="mailto:jason@openbsd.org">Jason L. Wright</a>, and
<a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>
<a href="papers/ocf.pdf">paper</a>.
<p>
<li>Cryptography As an Operating System Service: A Case Study.<br>
<a href="http://www.acm.org/tocs/">ACM Transactions on Computer Systems</a>,
February 2006, by
<a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
<a href="mailto:jason@openbsd.org">Jason L. Wright</a>, and
<a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>
<a href="papers/crypt-service.pdf">paper</a>.
</ul>