From: ummeegge <ummeegge@ipfire.org>
To: documentation@lists.ipfire.org
Subject: Re: Cryptography
Date: Fri, 07 Feb 2014 11:58:26 +0100 [thread overview]
Message-ID: <588CE637-2C6C-4F5B-9208-811574F2E5D8@ipfire.org> (raw)
In-Reply-To: <1391696720.21794.100.camel@rice-oxley.tremer.info>
[-- Attachment #1: Type: text/plain, Size: 2409 bytes --]
Hi all,
another idea for a potential info pool in that term could be a compatibility list for the different ciphers and digests and the different OS´s (especially the OpenSSL-1.0.1f library, which comes with IPFire-2.15, brought some new ones) .
For example the CAMELLIA or SEED cipher aren´t compatible with mostly smartphones and also some older OS´s like OS X 10.6 (which is still widely used) or Windows 7 and below.
But also the Whirlpool or SHA384/512 hash algorithms are interesting to check against common but also older operating systems, to name a few.
For the OpenVPN server on IPFire for example the ciphers and digests (selection in the WUI is in development) are globally defined and a fallback to older ciphers/digests isn´t possible at this time. If a wide range of different client OS´s are used now, the question on the lowest common denominator possibly comes up. So a compatibility list can help to make a good decision.
We have started with a little list --> http://wiki.ipfire.org/en/configuration/services/openvpn/extensions/zertkonvert#openvpns_cipher_and_digests_tests_with_openssl_version_101f which should only help temporarily for testing purposes and should only serve an idea/example to this.
Another point might be a timeline for the generation of the root/host certificates. We work currently on a flip menu in OpenVPN WUI where different bit sizes of the Diffie-Hellman key can be selected (1024, 2048, 3072 and 4096). The generation time for 4096 bit on a ALIX platform needed for example ~ 13 hours, 1024 bit instead 1.5 minutes, people might think something is broken while generating a new PKI so a hint for generation can help to understand such process better ?
This points does not targeting how strong or week or useful a cipher/hash or a key is now, but this can give also some technical background info´s.
--------------
A reference to different organizations with crypto background can also be an interesting point in that kind of wiki.
For example:
- http://www.iacr.org/
- https://www.cosic.esat.kuleuven.be/nessie/
- http://www.ecrypt.eu.org/
- http://www.ecrypt.eu.org/stream/
- http://www.nist.org/news.php
- https://www.teletrust.de/
- https://www.bsi.bund.de/EN/Publications/publications_node.html
Possibly some special section are more interesting then others, but as a first idea ???
Greetings
Erik
next prev parent reply other threads:[~2014-02-07 10:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-06 13:52 Cryptography Michael Tremer
2014-02-06 14:15 ` Cryptography Tom Rymes
2014-02-06 14:25 ` Cryptography Michael Tremer
2014-02-07 10:58 ` ummeegge [this message]
2014-02-08 14:37 ` Cryptography Michael Tremer
2014-02-09 20:59 ` Cryptography ummeegge
2014-02-06 14:25 ` Cryptography 5p9
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=588CE637-2C6C-4F5B-9208-811574F2E5D8@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=documentation@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox