OpenBSD Cryptographic Framework
   HOME

TheInfoList



Click Here for Items Related To - OpenBSD Cryptographic Framework
OR:
OpenBSD Cryptographic Framework on:   [Wikipedia]   [Google]   [Amazon]

The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an operating system. It is part of the
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
Project, having been included in the operating system since OpenBSD 2.8 (December, 2000). Like other OpenBSD projects such as OpenSSH, it has been ported to other systems based on
Berkeley Unix The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berk ...
such as
FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...
and
NetBSD NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is a ...
, and to
Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...
and Linux. One of the Linux ports is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated
SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...
encryption for the open source
Apache HTTP Server The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache So ...
.


Background

Cryptography is computationally intensive and is used in many different contexts. Software implementations often serve as a bottleneck to information flow or increase network latency. Specialist hardware such as
cryptographic accelerator In computing, a cryptographic accelerator is a co-processor designed specifically to perform computationally intensive cryptographic operations, doing so far more efficiently than the general-purpose CPU. Because many servers' system load consists ...
s can mitigate the bottleneck problem by introducing parallelism. Certain kinds of hardware, hardware random number generators, can also produce randomness more reliably than a pseudo-random software algorithm by exploiting the entropy of natural events. Unlike graphics applications such as games and film processing where similar hardware accelerators are in common use and have strong operating system support, the use of hardware in cryptography has had relatively low uptake. By the late 1990s, there was a need for a uniform operating system layer to mediate between cryptographic hardware and application software that used it. The lack of this layer led to the production of applications that were hard-coded to work with one or a very small range of cryptographic accelerators. The OpenBSD Project, which has a history of integrating strong, carefully audited cryptography into its operating system's core, produced a framework for the provision of cryptographic hardware acceleration as an operating system service.


/dev/crypto

Application-level support is provided through the pseudo-device , which provides access to the hardware drivers through a standard ioctl interface. This simplifies the writing of applications and removes the need for the application programmer to understand the operational details of the actual hardware that will be used. was removed in OpenBSD 5.7, having been superseded by the suite of syscalls.


Implications for other subsystems

The OpenBSD implementation of IPsec, the packet-level encryption protocol, was altered so that packets can be decoded in batches, which improves throughput. One rationale for this is to maximize efficiency of hardware usage—larger batches reduce the bus transmission overhead—but in practice the IPsec developers have found that this strategy improves the efficiency even of software implementations. Many Intel firmware hubs on i386 motherboards provide a hardware random number generator, and where possible this facility is used to provide entropy in IPsec. Because
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
uses the OCF, systems with hardware that supports the RSA, DH, or DSA cryptographic protocols will automatically use the hardware without any modification of the software.


Backdoor allegations investigated

: On 11 December 2010, a former government contractor named Gregory Perry sent an email to OpenBSD project leader Theo de Raadt alleging that the FBI had paid some OpenBSD ex-developers 10 years previously to compromise the security of the system, inserting "a number of backdoors and side channel key leaking mechanisms into the OCF". Theo de Raadt made the email public on 14 December by forwarding it to the openbsd-tech mailing list and suggested an audit of the IPsec codebase. De Raadt's response was skeptical of the report and he invited all developers to independently review the relevant code. In the weeks that followed, bugs were fixed but no evidence of backdoors was found.


Similarly named Solaris product

Oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...
's proprietary operating system
Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...
(originally developed by Sun) features an unrelated product called the Solaris Cryptographic Framework, a plug-in system for cryptographic algorithms and hardware.


See also

*
OpenBSD security features The OpenBSD operating system focuses on security and the development of security features. According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms." API ...
* Crypto API (Linux) * Microsoft CryptoAPI


References

{{Reflist, 2, refs= Intel Corporation, 2008
OpenSSL and Apache--Software
/ref> Linux-cryptodev
{{webarchive, url=https://web.archive.org/web/20120320070655/http://home.gna.org/cryptodev-linux/ , date=2012-03-20 Keromytis, Wright, de Raadt and Burnside, ''Cryptography As An Operating System Service: A Case Study'', ACM Transactions on Computing Systems, Vol 23, No 1, February 2006, pages 1-38
PDF
/ref> {{cite mailing list , url = http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 , title = Allegations regarding OpenBSD IPSEC , first = Theo , last = de Raadt , date = 2010-12-14 , mailing-list = openbsd-tech {{citation , url = http://www.osnews.com/story/24136/_FBI_Added_Secret_Backdoors_to_OpenBSD_IPSEC_ , title = FBI Added Secret Backdoors to OpenBSD IPSEC , first = Thom , last = Holwerda , work =
OSNews OSNews is a computing online newspaper. It originally focused on operating systems and their related technologies that launched in 1997, but is now aggregating consumer electronics news. The content is managed by a group of editors and the owner. ...
, date = 2010-12-14 , access-date = 2011-12-13 {{citation , url = https://arstechnica.com/open-source/news/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-backdoor.ars , title = OpenBSD code audit uncovers bugs, but no evidence of backdoor , first = Paul , last = Ryan , work =
Ars Technica ''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
, publisher =
Condé Nast Digital Condé is a French place name and personal name. It is ultimately derived from a Celtic word, "Condate", meaning "confluence" (of two rivers) - from which was derived the Romanised form "Condatum", in use during the Roman period, and thence to ...
, date = 2010-12-23 , access-date = 2011-01-09 crypto(4) in OpenBSD manual
/ref>


External links



overview document provided by the OpenBSD project.
OCF Linux
Project. Cryptographic Framework Applications of cryptography Cryptographic software