sign in sign up
<<
Home , Entropy (computing), Niels Provos

Cryptography in Op enBSD: An Overview

Theo de Raadt, Niklas Hallqvist, Artur Grab owski, Angelos D. Keromytis, Niels Provos

fderaadt,niklas,art,angelos,provosg@op enbsd.org

The OpenBSD Project

Abstract trying to make their use as easy and, where p ossi-

ble, transparent to the end user. Thus, more work

Cryptographic mechanisms are an imp ortant se-

is done in those mechanisms that can be used to

curity comp onent of an op erating system in secur-

provide transparent security, e.g., IPsec.

ing the system itself and its communication paths.

With this pap er, weintend to give a good overview

Indeed, in many situations, is the

of the cryptography currently distributed and used

only to ol that can solve a particular problem, e.g.,

in Op enBSD, and of our plans for future work. We

network-level security. While cryptography by it-

hop e this will b e of interest b oth to end-users and ad-

self do es not guarantee security, when applied cor-

ministrators lo oking for b etter ways to protect their

rectly, it can signi cantly improve overall security.

host and networks, and to develop ers in other sys-

Since one of the main fo ci of the Op enBSD system is

tems free or otherwise that are considering sup-

security,various cryptographic mechanisms are em-

p orting some of these mechanisms. We should again

ployed in a numb er of di erent roles.

caution the readers, however, that cryptography

This pap er gives an overview of the cryptography

do es not solve all security problems in an op erat-

employed in Op enBSD. We discuss the various com-

ing system, and should not b e considered as an end

p onents IPsec, SSL libraries, stronger password en-

in itself, but rather as an imp ortant piece of the se-

cryption, Kerb eros IV, random numb er generators,

curity puzzle.

etc., their role in system security, and their inter-

actions with the rest of the system and, where ap-

1.1 Pap er Organization

plicable, the network.

The remainder of this pap er is organized as

follows: section 2 describ es the various network

1 Intro duction

security facilities implemented and supp orted in

Op enBSD, section 3 covers the extensive use of ran-

An imp ortant asp ect of security in a mo dern op-

dom number generators, and section 4 brie y out-

erating system is cryptographic services and mecha-

lines our future plans in this area. Section 5 con-

nisms. While not a security panacea, cryptography

cludes the pap er.

is sometimes the right to ol in solving certain prob-

lems. In particular, cryptography is extremely useful

in solving a numb er of security issues in the following

2 Communications Security

three areas:

In an increasingly networked environment, com-

 Network security.

munications security supp ort in an OS is extremely

 Secure storage facilities.

imp ortant. As there are di erent mechanisms

and di erent layers where one may apply security,

 Pseudo- Random numb er generators.

Op enBSD supp orts a number of security proto cols

and mechanisms, some of whichwere develop ed or

Since one of our goals in the Op enBSD pro ject

even designed by our develop ers. In some cases,

is to provide strong security,wehave implemented a

there is considerable overlap in functionality. One

numb er of proto cols and services in the base system.

of our goals is to eventually make it transparentto

An Op enBSD distribution thus has full supp ort for

the end user which such security mechanism is in

such mechanisms as IPsec, SSL, Kerb eros, etc, b eing

use.

una ected by exp ort restriction laws.

Simply supp orting these mechanisms, however, is The following sections give a brief overview of

not sucient for wide-spread use. We are constantly these mechanisms, some detail of their implemen-

tation and integration in Op enBSD, and our plans The proto cols are ESP Encapsulating SecurityPay-

for future work. As we already mentioned in sec- load [2, 15] and AH Authentication Header [1,14].

tion 1, we consider IPsec an extremely imp ortant Both provide integrity, authenticity, and replay pro-

to ol in network security, b oth b ecause of its p oten- tection, while ESP adds con dentiality to the pic-

tial for user-transparency and its exibility. This is ture. IPsec can also be made to protect IP data-

re ected by the more thorough coverage of IPsec in grams for other hosts. The IPsec endp oints in this

the text that follows. arrangement thereby b ecome security gateways and

Other p opular mechanisms, such as SSH [38], are take part in a virtual private network VPN where

not covered b ecause they are only part of our p orts ordinary IP packets are tunneled inside IPsec [36].

system. While virtually all the develop ers use SSH,

Network-layer securityhasanumberofvery im-

there is no free implementation we can add to our

p ortant advantages over security at other layers of

standard distribution. Furthermore, the currentver-

the proto col stack. Network-layer proto cols are gen-

sion of SSH is restricted by the RSA patentin the

erally hidden from applications, which can there-

US. We are waiting for a free implementation to b e-

fore automatically and transparently take advantage

come available as part of the IETF standardization

of whatever network-layer encryption services that

pro cess of SSH. Such an implementation would be

host provides. Most imp ortantly, network-layer pro-

linked with our libssl.

to cols o er a remarkable exibility not available at

higher or lower layers. They can provide security

2.1 SSL

on an end-to-end securing the data between two

hosts, route-to-route securing data passing over a

In Op enBSD libssl provides a to olkit for the

particular set of links, edge-to-edge securing data

Secure So cket Layer SSL v2/v3 and Transp ort

as it passes from a \secure" network to an \insecure"

Layer Security TLS v1 [6] which provide strong

one, or a combination of these.

cryptographic protection for network communica-

tion such as server authentication and data encryp-

2.2.2 Op eration

tion. The Secure So cket Layer is currently used by

web servers, e.g., Apache as shipp ed with Op enBSD,

Central to b oth ESP and AH are an abstraction

and browsers like Netscap e Communicator. In the

called security asso ciation, or SA. In each SA there

future, applications like telnet and ftp will be con-

is information algorithm IDs, keys, etc. stored

verted to use TLS, p ossibly even during our network

describing how the wanted protection should be

installation pro cess.

setup. For two p eers to be able to communicate

Due to patent restrictions, libssl in the

they need matching SAs at each end. When de-

Op enBSD distribution supp orts only digital signa-

ciding what SA should be used for outb ound traf-

tures with DSA [27], but an additional package is

c, some kind of security p olicy database needs to

provided for users outside the USA to add back

b e consulted. In Op enBSD, this is currently imple-

RSA-signature [19] supp ort. This is implemented

mented as an extension to the routing table, where

by providing two shared libraries: libssl.so.1.0

source/destination addresses, proto col, and p orts

has only function stubs for RSA supp ort, while

serve as selectors.

libssl.so.1.1 contains full RSA supp ort. Notice

Lo oking at the wire format, IPsec works by insert-

that shared library minor-version number changes

ing an extra header b etween the IP header and the

typically indicate interface-transparent bug xes.

payload. This header holds IPsec-sp eci c data, such

as an anti-replay sequence numb er, cryptographic

2.2 IP Security IPsec

synchronization data, and integritycheckvalues. If

the security proto col in use is ESP, a cryptographic

2.2.1 Background

transform is applied to the payload in-place, e ec-

tively hiding the data. As an example, an UDP data-

While IP has proven to be an ecient and robust

gram protected by ESP is shown in gure 1.

proto col when it comes to actually getting data

across the Internet, it do es not inherently provide This mo de of op eration is called transp ort mo de,

any protection of that data. There are no facili- as opp osed to tunnel mo de which is typically used

ties to provide con dentiality, or to ensure the in- when a security gateway is protecting datagrams for

tegrity or authenticityofIP[31] datagrams. In or- other hosts. Tunnel mo de di ers from transp ort

der to remedy the securityweaknesses of IP, a pair mo de by the addition of a new, outer, IP header con-

of proto cols collectively called IP Security, or IPsec sisting of the security gateways' addresses instead of

[3, 16] for short, has b een standardized by the IETF. the actual source and destination, as shown in gure

that has help ed us signi cantly in nding and xing

ating further development.

IP ESP UDP UDP bugs, and in motiv

tly, the API used to setup and maintain the

Header Header Header Data Recen

KEY SA database was switched to the standard PF

[23]. This API is much more exible than the

old PF ENCAP interface. Available algorithms for

Encrypted

encryption are DES [26], 3DES, Cast-128, Blow-

sh [35], and Skip jack supp ort for the latter, de-

Figure 1: IPsec Transp ort Mo de

spite its known weaknesses, was added after re-

quests byUSGovernment agencies using our IPsec

k. One-way hash algorithms are MD5, SHA1

IP ESPIP UDP UDP stac

,21,17]. For key management,

Header Header Header Header Data and RIPEMD160 [20

two daemons are available, isakmpd implementing

IKE [29, 22, 12] and photurisd implementing Pho-

turis [13].

Encrypted

2.2.4 Future Work in IPsec

Figure 2: IPsec Tunnel Mo de

Our IPsec implementation is under constant devel-

opment and improvement, as there remain a number

2.

of unresolved issues.

As was mentioned earlier, this mo de is ideal for

implementing VPNs.

 Our IPv6 stack is not yet integrated with our

The last, but not least, part of the picture is a key

IPsec implementation.

management infrastructure. IPsec can only work if

 Wewant a more exible, p ossibly uni ed p olicy

the keys in the SAs are synchronized and up dated

mechanism. In particular, we are lo oking into

in a secure fashion. To automate this task, di erent

merging routing, security p olicy, and proto col

proto cols have b een devised that allowtwo p eers to

blo ck lo okups.

compute identical keys without actually sending all

the data needed for it over the wire [7, 8]. The Inter-

 Develop or b orrow a p olicy API, rather

net Key Exchange, IKE, is one such, and Photuris is

than use private extensions to PF KEY and

another. The main di erence b etween these two lies

PF ROUTE.

in the complexity level. IKE is a very complex proto-

col which, however, o ers considerable exibilityin

 isakmpd has not yet covered all mandatory re-

negotiating and establishing SAs. IKE is the ocial

quirements in the RFCs.

IETF standard. Both proto cols work in a similar

 A DNSSEC [9] implementation, and integration

vein, by rst building an encrypted application-level

in isakmpd and photurisd, will b e needed for op-

\tunnel" where further key exchanges take place.

p ortunistic encryption.

The Die-Hellman algorithm [7] is used to makeit

computationally hard to crack the key computation.

 isakmpd and photurisd are not linked with lib-

Every SA is assigned a lifetime, either in wall-clo ck

ssl so they will not automatically supp ort RSA

time or in volume, and when such a lifetime expires,

when an RSA-supp orting libssl is installed.

the key management daemon renegotiates with the

p eer, creating new SAs with fresh keys.

 We do not currently do on-demand keying

a facility available in the past through the

2.2.3 Op enBSD IPsec

ENCAP API. PF

Op enBSD's IPsec stackwas written by John Ioan-

 Finally,weintend to supp ort some application

nidis and Angelos Keromytis [18] and later enhance-

API for requesting security and p ossibly other

ments and xes have b een provided by Niels Provos

services. With that in place, weintend to have

and Niklas Hallqvist. The core is stable and in pro-

all networking applications take advantage of

duction use securing data in many places all over

IPsec.

the world, as it do es not su er from US exp ort reg-

ulations. A number of companies, agencies, insti- All of these are improvements that we want to

tutions, and individuals are using the co de, a fact address in the time-frame for the next release.

2.3 Kerb eros integrate the Kerb eros 5 clone b eing develop ed at

KTH as so on as it is stable, esp ecially since Ker-

b eros IV only supp orts DES [26] encryption.

In a networked environment, it is very imp ortant

to b e able to authenticate users in a secure wayover

2.4 S/Key

insecure networks. Kerb eros is a network authenti-

cation proto col using a trusted third-party to pro-

vide authentication and basic session-key exchange.

S/Key [11, 10] is a one-time password system used

Kerb eros is built around a central key distribu- for authentication. It provides protection against

tion center KDC whichkeeps a database of clients

replay attacks where a third party captured a pass-

and servers called principals and their private keys. word, e.g., by means of network sning, and tries

Encryption in Kerb eros is based on DES [26]. When to reuse it in a new authentication session.

the client wants to use some service it issues a re-

S/Key uses a user supplied secret pass-phrase

quest to the KDC for a ticket for that service. The

which is pro cessed by a one-way function to gener-

server returns a message encrypted with the client's

ate a sequence of one-time passwords. In Op enBSD

private key, containing three parts: a session key

the one-way function can b e chosen from a variety

that can b e used for encryption b etween the client

of computationally non-invertible hash functions like

and the server, a timestamp, and a ticket. The ticket

MD5 [34] or SHA1 [28], available in libc. S/Key is

is encrypted with the private key of the server and

still useful when other cryptographic proto cols are

contains the name of the client, a timestamp, the

not available, or their implementations are not fully

clients network address, lifetime of the ticket, and

trusted, e.g., when using a conference terminal ro om

the same session key that the client obtained. The

to login to a home machine.

ticket can b e passed to the server for authentication.

Kerb eros [24] was originally develop ed by pro ject

Athena at MIT, but was not exp ortable from the US

3 Pseudo Random Number Genera-

due to legal restrictions. The cryptographic func-

tors

tionality was removed and a \Bones" distribution

was created and exp orted. The cryptographic in-

A Pseudo Random Number Generator PRNG

terfaces were added backby Eric Young, and KTH

provides applications with a stream of numb ers

The Royal Institute of Technology in Sto ckholm,

whichhave certain imp ortant prop erties for system

Sweden maintained the co de outside the USA. The

security:

Kerb eros implementation in Op enBSD is \kth-krb",

proto col version 4, and is used in a numb er of utili-

 It should b e imp ossible for an outsider to pre-

ties.

dict the output of the random numb er generator

even with knowledge of previous output.

2.3.1 Practical Uses

 The generated numb ers should not have rep eat-

The simplest use of Kerb eros is to authenticate users

ing patterns which means the PRNG should

lo cally on a workstation. The login, xdm, and su pro-

havea very long cycle length.

grams in Op enBSD have the necessary co de to allow

Kerb eros authentication. The next step is to provide

 A PRNG is normally just an algorithm where

authentication for network proto cols. The rlogin,

the same initial starting values will yield the

rsh, and telnet programs have b een mo di ed to use

same sequence of outputs.

Kerb eros. In addition to that, they can use the ses-

sion key, obtained in the authentication phase, to

Some applications have criteria which a ect the

encrypt the data-stream for privacy. Another very

typ e of PRNG which is needed. For instance, later

practical use is in \kx" - a proto col to authenticate

on we will discuss IP datagram IDs and DNS [30]

and forward X11 connections in a secure way. Other

query-IDs, b oth of these issues have qualities which

programs using Kerb eros for authentication include

make it extremely desirable to have a PRNG which

cvs, , and xlock. Kerb eros authentication is also

makes e orts to avoid emitting rep etitions thus rul-

used in AFS.

ing out use of a true-random source.

One of our future goals is to allowkerb erized ap- Many other op erating systems also have random

plications to use IPsec services when p ossible, thus number device drivers and other related mecha-

avoiding double-encryption and consequently de- nisms, but largely make no use of them. Some such

graded p erformance. Furthermore, we intend to systems even provide such supp ort only as optional

device drivers, therefore discouraging use i.e., re- For 16-bit non-rep eating numb ers, we used a

14 15

liance. Op enBSD deviates by actually using these prime 2

mechanisms in numerous ways. A few ma jor inter- erator for Z . Being a generator, g has the prop erty

p

y

faces or techniques are used: that anyvalue 0

mo d p, for some value y .

14

 /dev/?random and similar kernel interfaces

We then pick random a, b and m with 2

15

2 so that

 arc4random3 in lib c

f n a  f n 1 + b mo d m

 non-rep eating PRNG

b ecomes a linear congruential generator LCG.

Each of these, and their uses in Op enBSD, will b e

We then determine the actual ID as

covered in the following sections.

f n

IDn=w  g mo d p;

3.1 Kernel Pool

where w is a random seed. After the linear con-

Computers are generally deterministic devices

gruential generator has b een exhausted, the most

making it very hard to pro duce real random num-

signi cant bit in IDn is toggled and all parame-

b ers. The PRNGs we use in Op enBSD do not gen-

ters g , a, b, m, and w from ab ove are chosen anew.

erate random numb ers themselves. Rather, they ex-

Because the linear congruential generator do es not

pand the randomness they are given as input. For-

rep eat itself and a new numb er space is chosen af-

tunately, a multi-user op erating system has many

ter reinitialization, the generated IDs do not rep eat

external events from which it can derive some ran-

themselves. The PRNG is typically seeded with ma-

domness. In Op enBSD the kernel collects measure-

terial from the kernel randomness p o ol.

ments from various devices such as the inter-keypress

timing from terminals, the arrival time of network

3.3.1 Randomness Used Inside the Kernel

packets, and the nishing time of disk requests. The

randomness from these sources is mixed into the ker-

 Dynamic sin p ort allo cation in bind2.

nel's entropy pool. When a userland program re-

When an AF INET so cket is b ound to a sp eci c

quests random data from the kernel, an MD5 hash

p ort numb er using the bind2 system call, the

is calculated over the whole entropy p o ol, \folded"

pro cess can cho ose the sp eci c p ort, or elect

in half byXOR-ing the upp er and lower word of the

that the system cho ose. Normal UNIX b ehavior

MD5 output, and returned. The user can cho ose the

resulted in the system allo cating p ort numb ers

quality of the generated random numb ers by reading

starting at 1024 and incrementing. Our new

output from the di erent /dev/?random devices.

co de cho oses a random p ort, in the range 1024

to 49151.

3.2 arc4random3

A similar issue existed with reserved p ort cre-

ation, using the bindresvport3 and rresv-

The arc4random3 interface, available in the

port3 library routines, which are supp osed to

Op enBSD libc, makes use of the kernel random-

pick a free p ort in the reserved range typically

ness p o ol, describ ed in the previous section, for

between 600 and 1023. The old b ehavior was

seeding the keystream generator employed by the

to allo cate decreasing p ort numb ers starting at

ARC4 cipher a cipher equivalent to RSADSI's

1023. The old co de for these library routines

RC4. The interface provides supp ort for applica-

e ected this downward search using successive

tions to \add" randomness to the pool maintained

calls to bind2;wehave replaced this with co de

by arc4random3. This interface is intended as a

using a newer kernel interface which is much

drop-in replacement for the traditional Unix ran-

more ecient and cho oses a random p ort num-

dom3 interface, for those applications that need

b er within the reserved range.

higher-quality random numb ers.

There are a numb er of p o orly designed proto cols

3.3 Non-rep eating Random Numb ers

e.g., rsh, ftp which are a ected by predictable

p ort allo cation; we b elieve that our approachis

In Op enBSD, we designed a non-rep eating

making it harder for attackers to gain an edge.

pseudo-random numb er generator that was very fast

and did not require additional resources.  Pro cess PIDs.

struct timeval now;

char buf[20];

gettimeofday&now;

sprintfbuf, "/tmp/foo-d", getpid;

call_msg.rm_xid = getpid ^ now.tv_sec ^

void mkdirbuf, 0600;

now.tv_usec;

Figure 3: The Wrong Way To Generate A

Figure 4: Typical RPC Initialization Co de

\Random" Directory

NFS-exp orted lesystems by making it dicult

Programmers often use this value as if it is ran-

for an attacker to guess lehandles which are

dom, p ossibly b ecause of the comp ellingly at-

partially derived from ino de numb ers.

tractive argument that \pid numb ers are e ec-

tively random on a busy enough system." Co de

 IP datagram IDs.

like \srandomgetpid" is quite common, as is

co de similar to that shown in gure 3.

Each IP packet contains a 16-bit identi er

which is used, if the packet has b een frag-

In a normal system the attacker will havea very

mented, for correctly p erforming reassembly at

easy time predicting the PID and thus the obvi-

the nal destination. Previously, this identi-

ous race attack is trivial. The race is as follows:

er simply incremented every time a new packet

the attacker creates the directory rst, cho os-

was sent out. By lo oking at the identi er in a

ing the mo de and ownership; subsequently it is

sequence of packets, an outsider can determine

p ossible to lo ok at and replace les in the direc-

how busy the target machine is. Another is-

tory.

sue was avoiding disclosure of information when

In Op enBSD, we use randomized PIDs, with a

using IPsec in tunneling mo de, as per section

couple of obvious exceptions, e.g., init8.

2.2.2. A naive implementation might create a

new IP header with an ID one more than the

 RPC transaction IDs XID.

ID in the existing IP header. This could lead to

Sun Microsystems Remote Pro cedure Call

known-plaintext attacks [4] against IPsec.

RPC messages contain a Transaction Identi-

To avoid these problems, we use the non-

er XID which matches a sent query against

rep eating PRNG describ ed in section 3.3.

its received reply. In most RPC systems, the

XID of the rst message a pro cess transmits will

 Randomness added to the TCP ISS value for

b e initialized using the co de shown in gure 4.

protection against sp o o ng attacks.

Subsequently, the XID for each packet is sim-

Inside the kernel, a 32-bit variable called tcp iss

ply incremented from this. Previously we men-

declares the Initial Send Sequence Number

tioned that a lo cal user might b e able to guess

ISS to use on the next TCP [32] session.

what kind of range the next PID on the sys-

The predictability of TCP ISS values has b een

tem might fall into; here we see that an outside

known to b e a security problem for manyyears

attacker might also be able to determine this

[25]. Typical systems added either 32K, 64K,

information. Our new co de uses arc4random

or 128K to that value at various di erent times.

to initialize the XID, and also avoids using two

Instead, our new algorithm adds a xed amount

identical numb ers consecutively.

plus a random amount, signi cantly decreasing

the chances of an attacker guessing the value

 NFS RPC transaction IDs XID.

and thus b eing able to spoof connection con-

The NFS proto col uses RPC packets for com-

tents.

munication. The RPC XID issue also applied

to the NFS co de we encountered, and we now

 Random data-blo ck padding for cryptographic

use the same mechanism for NFS XIDs.

transforms, as in RFC1827 IPsec ESP [2].

 Ino de generation numb ers.

3.3.2 Randomness Used in Userland Li-

The fsirand8 program makes use of

braries

arc4random3 to generate random inode

numb ers for lesystem ob jects  les, direc-  DNS query IDs typically start at 1 and incre-

tories, etc.. This increases the security of ment for each subsequent query. An attacker

can cause a DNS lo okup, e.g., by telneting to  isakmpd and photurisd use the kernel random-

the target host, and spoof the reply, since the ness p o ol for generating IKE \exchange identi-

contentof the query and the ID are known or ers" i.e., proto col co okies and message IDs,

easily predictable. Since host authentication is random Die-Hellman [7] values, and random

still in wide-spread use, this is a serious secu- nonces.

rity vulnerability present in virtually all sys-

 Certain games make use of the arc4random3

tems. Toavoid this issue, wehave mo di ed our

interface for higher quality random numb ers.

in-tree copyofbind8 and our libc resolver to

make use of the non-rep eating PRNG.

 arc4random3 seeding, as mentioned in section

4 Secure Storage

3.2.

One of the areas of least development in Op enBSD

 Stronger temp orary names.

has b een that of secure storage. While a number of

Pro cesses typically create temp orary les by

utilities e.g., vi1, ed1, bdes1, etc. directly

generating a random lename via mktemp3

supp ort encryption services, our goal is to provide

and then op ening that le in the /tmp di-

this service as transparently as p ossible to users.

rectory. A more secure way for doing so is

Ideally, we would like a layer either over or under

through mkstemp3, which generates the le-

the current native lesystem that would provide safe

name and op ens the le in one atomic op era-

storage services.

tion, thus eliminating the p otential for races.

As an interim solution, CFS [5] is included in the

Both functions, which reside in libc, make use

Op enBSD p orts system and can be readily used.

of arc4random3 to generate the random le-

However, it do es not provide the level of trans-

names, making it much harder for an attacker

parency we would like, and its p erformance is well

to guess the names in advance.

b elow what we consider acceptable for general use.

Clearly, more work is needed in this area.

 Generate salts for the various password algo-

Another issue related to secure storage is that

rithms. For some more details, see section 4.1.

of secure logging. Logs and esp ecially security-

related logs are extremely imp ortant in determin-

3.3.3 Randomness Used in Userland Pro-

ing whether a system is under attack or has b een

grams

compromised. The current logging facility, syslog,

 For generating fake S/Key challenges.

do es not provide any facilities for detecting log-

tamp ering, other than the option to send log mes-

One problem with most versions of RFC1938-

sages to another host's syslogd. We are currently

based one time password OTP systems is that

p orting the ssyslog package [37] and are hoping to

it is often p ossible to use them to determine

seamlessly replace the currently-used syslogd.

whether or not a user has an account on a ma-

The remainder of this section brie y covers our

chine. The most trivial example of this is sys-

bcrypt, approach to protecting user passwords, de-

tems that provide a di erent prompt if the user

velop ed inside Op enBSD.

has an entry in the OTP database. However,

even for systems that always provide an OTP

4.1 Bcrypt

prompt, the prompt itself is rarely convincing

and can b e trivially identi ed as a fake. To ad-

dress this problem, the OTP co de in Op enBSD Increasing computational p ower makes the use of

generates a consistent, credible challenge for cryptography to further system security more fea-

non-existent users and users without an entry sible and allows for more tuneable security param-

in the OTP database. It do es so by generating eters such as public key length. However, one se-

the prompt based on the hostname and a hash curity parameter - the length and entropy of user-

of the username and the contents of a le gen- chosen passwords - do es not scale at all with comput-

erated from the kernel random p o ol. This le ing power. Many systems still require user-chosen

is usually created at install time and provides a secret passwords which are hashed to keep them

constant source of random data. Thus, all three secret. When the UNIX password hash crypt3

comp onents of the challenge are constant, but was intro duced in 1976, it could not hash more

only the hostname and username are known to than four passwords p er second. With increasingly

the attacker. more powerful attackers it is common to compute

more than 200,000 password hashes p er second. In their systems.

Op enBSD we use the bcrypt algorithm to make the

cost of password hashing parameterizable. Its de-

sign makes it hard to optimize bcrypt's execution

6 Acknowledgments

sp eed or use commo dity hardware instead of soft-

ware. bcrypt uses a 128-bit salt and encrypts a 192-

We would like to thank Hugh Graham, Todd

bit magic value. It takes advantage of the fact that

Miller, and Chris Turan who provided comments

the Blow sh algorithm used in the core of bcrypt

and sometimes text in earlier versions of this pa-

for password hashing needs a fairly exp ensive key

p er. Wewould also like to thank all the Op enBSD

setup, thus considerably slowing down dictionary-

develop ers for the work they contribute to the

based attacks. bcrypt uses the arc4random3 in-

pro ject, and our users for their continuing supp ort.

terface for password salt-generation. A comparison

between this approach and the mechanism used in

certain other Unix systems for generating salts has

7 Availability

shown that while arc4random3 b ehaved extremely

close to the statistical theoretical exp ectations; in

All the software describ ed in the pap er is available

contrast, other systems pro duced large numb ers of

through the Op enBSD web page at

collisions, making dictionary attacks faster.

A sp ecial con guration le, passwd.conf5, is

http://www.openbsd.org/

used to determine which typ e of password scheme

is used for a given user or group. It is p ossible to

use di erent password schemes for lo cal or YP pass-

8 Disclaimer

words. For bcrypt, the numb er of rounds is also in-

cluded. This facilitates adapting the password veri -

Op enBSD is based in Calgary, Canada. All indi-

cation time to increasing pro cessor sp eed. Currently,

viduals doing cryptography-related work do so out-

6

the default numb er of rounds for a normal user is 2 ,

side countries that have limiting laws.

8

and 2 for \ro ot." bcrypt is used in Op enBSD as the

default password scheme since version 2.1. For more

details, see [33].

References

[1] R. Atkinson. IP Authentication Header. RFC 1826,

5 Conclusion

August 1995.

[2] R. Atkinson. IP Encapsulating Security Payload.

In this pap er, we gave an overview of the cryp-

RFC 1827, August 1995.

tography used in Op enBSD. We presented the sup-

[3] R. Atkinson. Security Architecture for the Internet

p orted network security mechanisms, with particu-

Proto col. RFC 1825, August 1995.

lar emphasis on IP security. We then discussed the

[4] S. Bellovin. Probable Plaintext Cryptanalysis of the

various uses of randomness throughout the system.

IP Security Proto cols. In Proceedings of the Sympo-

Finally,we brie y covered our plans for future work

sium on Network and Distributed System Security,

in the area of secure storage.

pages 155{160, February 1997.

A lot of work remains to be done. In the short

[5] M. Blaze. A Cryptographic File System for Unix.

term, we need to complete the remaining parts of

In Proc. of the 1st ACM Conference on Computer

those mechanisms still under development, keeping

and Communications Security,Novemb er 1993.

in mind of course that security and standards is

amoving target, and constant maintenance and up-

[6] T. Dierks and C. Allen. The TLS proto col ver-

sion 1.0. Request for Comments Prop osed Stan-

dating will b e needed. Beyond that, integration with

dard 2246, Internet Engineering Task Force, Jan-

existing and new utilities is a ma jor item in our

uary 1999.

agenda. Finally,we are considering new mechanisms

that address di erent problems, e.g., untrusted-co de

[7] W. Die and M.E. Hellman. New Directions in

containment.

Cryptography. IEEE Transactions on Information

Theory, IT{226:644{654, Nov 1976.

It is imp ortant to note that all the mechanisms

describ ed in this pap er are currently in use, solving

[8] W. Die, P.C. van Oorschot, and M.J. Wiener.

real problems. We hop e that this pap er will encour-

Authentication and Authenticated Key Exchanges.

Designs, Codes and Cryptography, 2:107{125, 1992. age others to add these or similar mechanisms in

[9] D. Eastlake, 3rd, and C. Kaufman. Domain name [24] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H.

system security extensions. Request for Comments Saltzer. Kerb eros authentication and authorization

Prop osed Standard 2065, Internet Engineering system. Technical rep ort, MIT, Decemb er 1987.

Task Force, January 1997.

[25] R. T. Morris. A Weakness in the 4.2BSD Unix

[10] N. Haller. The S/KEY one-time password system.

TCP/IP Software. Science Technical

Request for Comments Informational 1760, Inter-

Rep ort 117, AT&T Bell Lab oratories, February

net Engineering Task Force, February 1995.

1985.

[11] Neil M. Haller. the s/key one-time password system.

[26] Data Encryption Standard, January 1977.

In Proceedings of the ISOC Symposium on Network

[27] Digital Signature Standard, May 1994.

and Distributed System Security, 1994.

[28] Secure Hash Standard, April 1995. Also known as:

[12] D. Harkins and D. Carrel. The internet key ex-

59 Fed Reg 35317 1994.

change IKE. Request for Comments Prop osed

Standard 2409, Internet Engineering Task Force,

[29] D. Pip er. The internet IP security domain of in-

Novemb er 1998.

terpretation for ISAKMP. Request for Comments

Prop osed Standard 2407, Internet Engineering

[13] P. Karn and W. Simpson. Photuris: Session-key

Task Force, Novemb er 1998.

management proto col. Request for Comments Ex-

p erimental 2522, Internet Engineering Task Force,

[30] J. Postel. Domain name system structure and del-

March 1999.

egation. Request for Comments Informational

[14] S. Kent and R. Atkinson. IP authentication header.

1591, Internet Engineering Task Force, March 1994.

Request for Comments Prop osed Standard 2402,

[31] Jon Postel. Internet Proto col. Internet RFC 791,

Internet Engineering Task Force, Novemb er 1998.

1981.

[15] S. Kent and R. Atkinson. IP encapsulating security

[32] Jon Postel. Transmission Control Proto col. Internet

payload ESP. Request for Comments Prop osed

RFC 793, 1981.

Standard 2406, Internet Engineering Task Force,

[33] Niels Provos and David Mazi eres. A Future-

Novemb er 1998.

Adaptable Password Scheme. In Proceedings of the

[16] S. Kent and R. Atkinson. Security architecture for

Annual USENIX Technical Conference, 1999.

the internet proto col. Request for Comments Pro-

p osed Standard 2401, Internet Engineering Task

[34] R. Rivest. The MD5 Message-Digest Algorithm.

Force, Novemb er 1998.

Internet RFC 1321, April 1992.

[17] A. Keromytis and N. Provos. The use of HMAC-

[35] Bruce Schneier. Description of a New Variable-

RIPEMD-160-96 within ESP and AH. Internet

Length Key, 64-Bit Blo ck Cipher Blow sh. In Fast

Draft, Internet Engineering Task Force, February

Software Encryption, Cambridge Security Work-

1999. Work in progress.

shop Proceedings, pages 191{204. Springer-Verlag,

Decemb er 1993.

[18] A. D. Keromytis, J. Ioannidis, and J. M. Smith.

Implementing IPsec. In Proceedings of Global Inter-

[36] William Simpson. IP in IP Tunneling. Internet RFC

net GlobeCom '97, pages 1948 { 1952, November

1853, Octob er 1995.

1997.

[37] Secure Syslog. http://www.core-sdi.com/Core- SDI

[19] RSA Lab oratories. PKCS 1: RSA Encryption

/english/slogging/ssyslog.htm l.

Standard,version 1.5 edition, 1993. Novemb er.

[38] T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and

[20] C. Madson and R. Glenn. The use of HMAC-

S. Lehtinen. SSH proto col architecture. Internet

MD5-96 within ESP and AH. Request for Com-

Draft, Internet Engineering Task Force, February

ments Prop osed Standard 2403, Internet Engi-

1999. Work in progress.

neering Task Force, Novemb er 1998.

[21] C. Madson and R. Glenn. The use of HMAC-

SHA-1-96 within ESP and AH. Request for Com-

ments Prop osed Standard 2404, Internet Engi-

neering Task Force, Novemb er 1998.

[22] D. Maughan, M. Schertler, M. Schneider, and

J. Turner. Internet security asso ciation and key

management proto col ISAKMP. Request for

Comments Prop osed Standard 2408, Internet En-

gineering Task Force, Novemb er 1998.

[23] D. McDonald, C. Metz, and B. Phan. PF KEY Key

Management API, Version 2. Request for Com-

ments Informational 2367, Internet Engineering

Task Force, July 1998.