From: Michael Tremer <michael.tremer@ipfire.org>
To: documentation@lists.ipfire.org
Subject: Re: Cryptography
Date: Sat, 08 Feb 2014 15:37:52 +0100 [thread overview]
Message-ID: <1391870272.21794.154.camel@rice-oxley.tremer.info> (raw)
In-Reply-To: <588CE637-2C6C-4F5B-9208-811574F2E5D8@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8666 bytes --]
Hi,
On Fri, 2014-02-07 at 11:58 +0100, ummeegge wrote:
> Hi all,
> another idea for a potential info pool in that term could be a compatibility list for the different ciphers and digests and the different OS´s (especially the OpenSSL-1.0.1f library, which comes with IPFire-2.15, brought some new ones) .
> For example the CAMELLIA or SEED cipher aren´t compatible with mostly smartphones and also some older OS´s like OS X 10.6 (which is still widely used) or Windows 7 and below.
> But also the Whirlpool or SHA384/512 hash algorithms are interesting to check against common but also older operating systems, to name a few.
This is indeed a very good idea and of course influences the decision a
lot.
I am just wondering if we are able to have a global matrix for OpenVPN
and IPsec or if we need to split that up? I would suggest to have two
different matrices for that.
> For the OpenVPN server on IPFire for example the ciphers and digests (selection in the WUI is in development) are globally defined and a fallback to older ciphers/digests isn´t possible at this time. If a wide range of different client OS´s are used now, the question on the lowest common denominator possibly comes up. So a compatibility list can help to make a good decision.
> We have started with a little list --> http://wiki.ipfire.org/en/configuration/services/openvpn/extensions/zertkonvert#openvpns_cipher_and_digests_tests_with_openssl_version_101f which should only help temporarily for testing purposes and should only serve an idea/example to this.
I would also like to suggest to make two matrices. One for the ciphers,
one for the hashing algorithms.
That makes it a bit easier because the table doesn't get too huge.
> Another point might be a timeline for the generation of the root/host certificates. We work currently on a flip menu in OpenVPN WUI where different bit sizes of the Diffie-Hellman key can be selected (1024, 2048, 3072 and 4096). The generation time for 4096 bit on a ALIX platform needed for example ~ 13 hours, 1024 bit instead 1.5 minutes, people might think something is broken while generating a new PKI so a hint for generation can help to understand such process better ?
With beta 1, generating keys on ALIX boards should be done within a
second because the RNG is used for that.
Benchmarking the times is nothing different than a measurement for how
much entropy is generated by the system, so I think that there is not
too much use for this. You will have to wait the time it takes to
generate the key. If it takes way too long, than you should search for a
source of entropy.
We have still lots of other places to work on, so I would like to keep
this as short as possible and cut everything that is not essentially
required.
>
> This points does not targeting how strong or week or useful a cipher/hash or a key is now, but this can give also some technical background info´s.
Are you planning to point to sources? That is fine. But please do not
copy or re-write texts about how AES works internally.
> --------------
>
> A reference to different organizations with crypto background can also be an interesting point in that kind of wiki.
>
> For example:
> - http://www.iacr.org/
> - https://www.cosic.esat.kuleuven.be/nessie/
> - http://www.ecrypt.eu.org/
> - http://www.ecrypt.eu.org/stream/
> - http://www.nist.org/news.php
> - https://www.teletrust.de/
> - https://www.bsi.bund.de/EN/Publications/publications_node.html
>
> Possibly some special section are more interesting then others, but as a first idea ???
>
> Greetings
>
>
> Erik
>
>
>
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> Return-Path: <documentation-bounces(a)lists.ipfire.org>
> Received: from mail01.ipfire.org
> by hedwig.ipfire.org (Dovecot) with LMTP id 56ilKlq89FIJbwAAjPkmHg
> ; Fri, 07 Feb 2014 11:58:34 +0100
> Received: from hedwig.ipfire.org (localhost [IPv6:::1])
> by mail01.ipfire.org (Postfix) with ESMTP id A1C9F2101;
> Fri, 7 Feb 2014 11:58:34 +0100 (CET)
> Received: from [192.168.75.2] (dslb-084-057-122-162.pools.arcor-ip.net
> [84.57.122.162])
> (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
> (No client certificate requested)
> by mail01.ipfire.org (Postfix) with ESMTPSA id 05101180
> for <documentation(a)lists.ipfire.org>; Fri, 7 Feb 2014 11:58:32 +0100 (CET)
> Mime-Version: 1.0 (Apple Message framework v1085)
> Subject: Re: Cryptography
> From: ummeegge <ummeegge(a)ipfire.org>
> In-Reply-To: <1391696720.21794.100.camel(a)rice-oxley.tremer.info>
> Date: Fri, 7 Feb 2014 11:58:26 +0100
> Message-Id: <588CE637-2C6C-4F5B-9208-811574F2E5D8(a)ipfire.org>
> References: <1391694769.21794.92.camel(a)rice-oxley.tremer.info>
> <52F398ED.2080901(a)rymes.com>
> <1391696720.21794.100.camel(a)rice-oxley.tremer.info>
> To: documentation(a)lists.ipfire.org
> X-Mailer: Apple Mail (2.1085)
> X-BeenThere: documentation(a)lists.ipfire.org
> X-Mailman-Version: 2.1.15
> Precedence: list
> List-Id: "Discussions about the wiki,
> translations and stuff..." <documentation.lists.ipfire.org>
> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/documentation>,
> <mailto:documentation-request(a)lists.ipfire.org?subject=unsubscribe>
> List-Archive: <http://lists.ipfire.org/pipermail/documentation/>
> List-Post: <mailto:documentation(a)lists.ipfire.org>
> List-Help: <mailto:documentation-request(a)lists.ipfire.org?subject=help>
> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/documentation>,
> <mailto:documentation-request(a)lists.ipfire.org?subject=subscribe>
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> Errors-To: documentation-bounces(a)lists.ipfire.org
> Sender: "Documentation" <documentation-bounces(a)lists.ipfire.org>
>
> Hi all,
> another idea for a potential info pool in that term could be a compatibility list for the different ciphers and digests and the different OS´s (especially the OpenSSL-1.0.1f library, which comes with IPFire-2.15, brought some new ones) .
> For example the CAMELLIA or SEED cipher aren´t compatible with mostly smartphones and also some older OS´s like OS X 10.6 (which is still widely used) or Windows 7 and below.
> But also the Whirlpool or SHA384/512 hash algorithms are interesting to check against common but also older operating systems, to name a few.
>
> For the OpenVPN server on IPFire for example the ciphers and digests (selection in the WUI is in development) are globally defined and a fallback to older ciphers/digests isn´t possible at this time. If a wide range of different client OS´s are used now, the question on the lowest common denominator possibly comes up. So a compatibility list can help to make a good decision.
> We have started with a little list --> http://wiki.ipfire.org/en/configuration/services/openvpn/extensions/zertkonvert#openvpns_cipher_and_digests_tests_with_openssl_version_101f which should only help temporarily for testing purposes and should only serve an idea/example to this.
>
> Another point might be a timeline for the generation of the root/host certificates. We work currently on a flip menu in OpenVPN WUI where different bit sizes of the Diffie-Hellman key can be selected (1024, 2048, 3072 and 4096). The generation time for 4096 bit on a ALIX platform needed for example ~ 13 hours, 1024 bit instead 1.5 minutes, people might think something is broken while generating a new PKI so a hint for generation can help to understand such process better ?
>
> This points does not targeting how strong or week or useful a cipher/hash or a key is now, but this can give also some technical background info´s.
>
> --------------
>
> A reference to different organizations with crypto background can also be an interesting point in that kind of wiki.
>
> For example:
> - http://www.iacr.org/
> - https://www.cosic.esat.kuleuven.be/nessie/
> - http://www.ecrypt.eu.org/
> - http://www.ecrypt.eu.org/stream/
> - http://www.nist.org/news.php
> - https://www.teletrust.de/
> - https://www.bsi.bund.de/EN/Publications/publications_node.html
>
> Possibly some special section are more interesting then others, but as a first idea ???
>
> Greetings
>
>
> Erik
>
>
>
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
next prev parent reply other threads:[~2014-02-08 14:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-06 13:52 Cryptography Michael Tremer
2014-02-06 14:15 ` Cryptography Tom Rymes
2014-02-06 14:25 ` Cryptography Michael Tremer
2014-02-07 10:58 ` Cryptography ummeegge
2014-02-08 14:37 ` Michael Tremer [this message]
2014-02-09 20:59 ` Cryptography ummeegge
2014-02-06 14:25 ` Cryptography 5p9
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1391870272.21794.154.camel@rice-oxley.tremer.info \
--to=michael.tremer@ipfire.org \
--cc=documentation@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox