grarpamp
2013-Oct-07 19:56 UTC
FreeBSD crypto and security meta [was: zfs review 4185 New hash algo]
> Date: Mon, 7 Oct 2013 11:44:57 +0200 > From: Pawel Jakub Dawidek <pjd at FreeBSD.org> > To: zfs at lists.illumos.org > Subject: Re: [zfs] [Review] 4185 New hash algorithm support > > On Mon, Oct 07, 2013 at 12:47:52AM +0100, Saso Kiselkov wrote: >> Please review what frankly has become a bit of a large-ish feature: >> http://cr.illumos.org/~webrev/skiselkov/new_hashes/ >> >> This webrev implements new hash algorithms for ZFS with much improved >> performance. There are three algorithms included: > [...] > > Personally I'd love to have an option to use HMAC/SHA256 for example > with secret key stored in pool. Currently in our product we put ZFS with > SHA256 on top of block-level disk encryption. I'd feel much better to > have proper data authentication using HMAC. At some point I may find > time to implement that based on your patch.With recent news renewing broad interest in self/peer examining the security of the entire spectrum of products... has the FreeBSD implementation of GELI/crypto/random published design papers, presentations and reviews? Are these collected centrally for easy reference by the community? Quick ref: https://www.freebsd.org/cgi/man.cgi?query=geli https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=9 https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=4 https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4 https://www.freebsd.org/cgi/man.cgi?query=rndtest&sektion=4 Further, and more generally on the higher level meta topics we've seen... How is FreeBSD working with the community regarding possible updates to cipher suites, embedded crypto libraries, and the like? Similarly, how is it approaching the movement towards end-to-end toolchain integrity... from the repository, through deterministic builds, and on out to secure distribution and updates? This should be viewed not as a pointer but 'While we're on the topic, hey, how are the FreeBSD folks doing' :) Presumably this subthread could migrate to freebsd lists for those interested in following the details more closely.