From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: documentation@lists.ipfire.org Subject: Re: Cryptography Date: Fri, 07 Feb 2014 11:58:26 +0100 Message-ID: <588CE637-2C6C-4F5B-9208-811574F2E5D8@ipfire.org> In-Reply-To: <1391696720.21794.100.camel@rice-oxley.tremer.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1604653662267004776==" List-Id: --===============1604653662267004776== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, another idea for a potential info pool in that term could be a compatibility = list for the different ciphers and digests and the different OS=C2=B4s (espe= cially the OpenSSL-1.0.1f library, which comes with IPFire-2.15, brought some= new ones) . For example the CAMELLIA or SEED cipher aren=C2=B4t compatible with mostly sm= artphones and also some older OS=C2=B4s like OS X 10.6 (which is still widely= used) or Windows 7 and below.=20 But also the Whirlpool or SHA384/512 hash algorithms are interesting to check= against common but also older operating systems, to name a few. For the OpenVPN server on IPFire for example the ciphers and digests (selecti= on in the WUI is in development) are globally defined and a fallback to older= ciphers/digests isn=C2=B4t possible at this time. If a wide range of differe= nt client OS=C2=B4s are used now, the question on the lowest common denominat= or possibly comes up. So a compatibility list can help to make a good decisio= n. We have started with a little list --> http://wiki.ipfire.org/en/configuratio= n/services/openvpn/extensions/zertkonvert#openvpns_cipher_and_digests_tests_w= ith_openssl_version_101f which should only help temporarily for testing purpo= ses and should only serve an idea/example to this. Another point might be a timeline for the generation of the root/host certifi= cates. We work currently on a flip menu in OpenVPN WUI where different bit si= zes of the Diffie-Hellman key can be selected (1024, 2048, 3072 and 4096). T= he generation time for 4096 bit on a ALIX platform needed for example ~ 13 ho= urs, 1024 bit instead 1.5 minutes, people might think something is broken whi= le generating a new PKI so a hint for generation can help to understand such = process better ? This points does not targeting how strong or week or useful a cipher/hash or = a key is now, but this can give also some technical background info=C2=B4s. -------------- A reference to different organizations with crypto background can also be an = interesting point in that kind of wiki. For example: - http://www.iacr.org/ - https://www.cosic.esat.kuleuven.be/nessie/ - http://www.ecrypt.eu.org/ - http://www.ecrypt.eu.org/stream/ - http://www.nist.org/news.php - https://www.teletrust.de/ - https://www.bsi.bund.de/EN/Publications/publications_node.html Possibly some special section are more interesting then others, but as a firs= t idea ??? Greetings=20 Erik --===============1604653662267004776==--