[cryptography] FreeBSD crypto and security meta [was: zfs review 4185 New hash algo]

grarpamp grarpamp at gmail.com
Mon Oct 7 15:56:51 EDT 2013


> Date: Mon, 7 Oct 2013 11:44:57 +0200
> From: Pawel Jakub Dawidek <pjd at FreeBSD.org>
> To: zfs at lists.illumos.org
> Subject: Re: [zfs] [Review] 4185 New hash algorithm support
>
> On Mon, Oct 07, 2013 at 12:47:52AM +0100, Saso Kiselkov wrote:
>> Please review what frankly has become a bit of a large-ish feature:
>> http://cr.illumos.org/~webrev/skiselkov/new_hashes/
>>
>> This webrev implements new hash algorithms for ZFS with much improved
>> performance. There are three algorithms included:
> [...]
>
> Personally I'd love to have an option to use HMAC/SHA256 for example
> with secret key stored in pool. Currently in our product we put ZFS with
> SHA256 on top of block-level disk encryption. I'd feel much better to
> have proper data authentication using HMAC. At some point I may find
> time to implement that based on your patch.

With recent news renewing broad interest in self/peer examining
the security of the entire spectrum of products... has the FreeBSD
implementation of GELI/crypto/random published design papers,
presentations and reviews? Are these collected centrally for easy
reference by the community?

Quick ref:
https://www.freebsd.org/cgi/man.cgi?query=geli
https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=9
https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=4
https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4
https://www.freebsd.org/cgi/man.cgi?query=rndtest&sektion=4

Further, and more generally on the higher level meta topics we've seen...
How is FreeBSD working with the community regarding possible
updates to cipher suites, embedded crypto libraries, and the like?
Similarly, how is it approaching the movement towards end-to-end
toolchain integrity... from the repository, through deterministic builds,
and on out to secure distribution and updates?

This should be viewed not as a pointer but 'While we're on the topic,
hey, how are the FreeBSD folks doing' :) Presumably this subthread
could migrate to freebsd lists for those interested in following the
details more closely.


More information about the cryptography mailing list