OpenBSD Cryptographic Framework
   HOME

TheInfoList



OR:

The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an
operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...
. It is part of the
OpenBSD OpenBSD is a security-focused operating system, security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking NetBSD ...
Project, having been included in the operating system since OpenBSD 2.8 (December, 2000). Like other OpenBSD projects such as OpenSSH, it has been
ported In software engineering, porting is the process of adapting software for the purpose of achieving some form of execution in a computing environment that is different from the one that a given program (meant for such execution) was originally desig ...
to other systems based on Berkeley Unix such as
FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...
and
NetBSD NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was fork (software development), forked. It continues to ...
, and to
Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...
and
Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
. One of the Linux ports is supported by
Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...
for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source
Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source software, free and open-source cross-platform web server, released under the terms of Apache License, Apache License 2.0. It is developed and maintained by a community of developers under the ...
.


Background

Cryptography is computationally intensive and is used in many different contexts. Software implementations often serve as a bottleneck to information flow or increase
network latency Network delay is a design and performance characteristic of a telecommunications network. It specifies the latency for a bit of data to travel across the network from one communication endpoint to another. It is typically measured in multiples ...
. Specialist hardware such as cryptographic accelerators can mitigate the bottleneck problem by introducing parallelism. Certain kinds of hardware,
hardware random number generator In computing, a hardware random number generator (HRNG), true random number generator (TRNG), non-deterministic random bit generator (NRBG), or physical random number generator is a device that generates random numbers from a physical process c ...
s, can also produce randomness more reliably than a pseudo-random software algorithm by exploiting the
entropy Entropy is a scientific concept, most commonly associated with states of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics, where it was first recognized, to the micros ...
of natural events. Unlike graphics applications such as games and film processing where similar hardware accelerators are in common use and have strong operating system support, the use of hardware in cryptography has had relatively low uptake. By the late 1990s, there was a need for a uniform operating system layer to mediate between cryptographic hardware and application software that used it. The lack of this layer led to the production of applications that were hard-coded to work with one or a very small range of cryptographic accelerators. The OpenBSD Project, which has a history of integrating strong, carefully audited cryptography into its operating system's core, produced a framework for the provision of cryptographic hardware acceleration as an operating system service.


/dev/crypto

Application-level support is provided through the pseudo-device , which provides access to the hardware drivers through a standard
ioctl In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; ...
interface. This simplifies the writing of applications and removes the need for the application programmer to understand the operational details of the actual hardware that will be used. was removed in OpenBSD 5.7, having been superseded by the suite of syscalls.


Implications for other subsystems

The OpenBSD implementation of IPsec, the packet-level encryption protocol, was altered so that packets can be decoded in batches, which improves
throughput Network throughput (or just throughput, when in context) refers to the rate of message delivery over a communication channel in a communication network, such as Ethernet or packet radio. The data that these messages contain may be delivered ov ...
. One rationale for this is to maximize efficiency of hardware usage—larger batches reduce the bus transmission overhead—but in practice the IPsec developers have found that this strategy improves the efficiency even of software implementations. Many Intel firmware hubs on
i386 The Intel 386, originally released as the 80386 and later renamed i386, is the third-generation x86 architecture microprocessor from Intel. It was the first 32-bit processor in the line, making it a significant evolution in the x86 archite ...
motherboards provide a hardware random number generator, and where possible this facility is used to provide entropy in IPsec. Because
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...
uses the OCF, systems with hardware that supports the RSA, DH, or DSA cryptographic protocols will automatically use the hardware without any modification of the software.


Backdoor allegations investigated

: On 11 December 2010, a former government contractor named Gregory Perry sent an email to OpenBSD project leader Theo de Raadt alleging that the
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
had paid some OpenBSD ex-developers 10 years previously to compromise the security of the system, inserting "a number of backdoors and side channel key leaking mechanisms into the OCF". Theo de Raadt made the email public on 14 December by forwarding it to the openbsd-tech mailing list and suggested an audit of the IPsec codebase. De Raadt's response was skeptical of the report and he invited all developers to independently review the relevant code. In the weeks that followed, bugs were fixed but no evidence of backdoors was found.


Similarly named Solaris product

Oracle An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...
's proprietary operating system
Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...
(originally developed by
Sun The Sun is the star at the centre of the Solar System. It is a massive, nearly perfect sphere of hot plasma, heated to incandescence by nuclear fusion reactions in its core, radiating the energy from its surface mainly as visible light a ...
) features an unrelated product called the Solaris Cryptographic Framework, a plug-in system for cryptographic algorithms and hardware.


See also

* OpenBSD security features * Crypto API (Linux) *
Microsoft CryptoAPI The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windows ...


References

{{Reflist, 2, refs= Intel Corporation, 2008
OpenSSL and Apache--Software
/ref> Linux-cryptodev
{{webarchive, url=https://web.archive.org/web/20120320070655/http://home.gna.org/cryptodev-linux/ , date=2012-03-20
Keromytis, Wright, de Raadt and Burnside, ''Cryptography As An Operating System Service: A Case Study'', ACM Transactions on Computing Systems, Vol 23, No 1, February 2006, pages 1-38
PDF
/ref> {{cite mailing list , url = http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 , title = Allegations regarding OpenBSD IPSEC , first = Theo , last = de Raadt , date = 2010-12-14 , mailing-list = openbsd-tech {{citation , url = http://www.osnews.com/story/24136/_FBI_Added_Secret_Backdoors_to_OpenBSD_IPSEC_ , title = FBI Added Secret Backdoors to OpenBSD IPSEC , first = Thom , last = Holwerda , work =
OSNews OSNews is a computing online newspaper. It originally focused on operating systems and their related technologies that launched in 1997, but is now aggregating consumer electronics news. The content is managed by a group of editors and the owner. ...
, date = 2010-12-14 , access-date = 2011-12-13
{{citation , url = https://arstechnica.com/open-source/news/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-backdoor.ars , title = OpenBSD code audit uncovers bugs, but no evidence of backdoor , first = Paul , last = Ryan , work =
Ars Technica ''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
, publisher =
Condé Nast Digital Condé is a French place name and personal name. It is ultimately derived from a Celtic languages, Celtic word, "Condate", meaning "confluence" (of two rivers) - from which was derived the Romanised form "Condatum", in use during the Roman period ...
, date = 2010-12-23 , access-date = 2011-01-09
crypto(4) in OpenBSD manual
/ref>


External links



overview document provided by the OpenBSD project.
OCF Linux
Project. Cryptographic Framework Applications of cryptography Cryptographic software