From: | Robin Carey <robin.carey1@xxxxxxxxxxxxxx> |
Date: | Wed, 31 Mar 2010 17:47:58 +0100 |
There is some talk on the kernel-mailing list about implementing Cryptography in DragonFlyBSD.
I would like to add my input in this discussion;
Most cryptography implementations use block-ciphers. But I consider block-ciphers (even AES) bad, because
they are just a code-book.
I consider Stream Ciphers to be the best way to encrypt data, as these are "the next best thing" to a
one-time-pad (one-time-pad is a provably secure encryption method).
So if DragonFly were to support encrypting the hard-disk-drive/file-system, I would recommend
a Stream-Cipher implementation.
There is more than one way to go about this; read up on CSPRNG on www.wikipedia.org.
For me, the limiting factor is the cycle-length of the Stream-Cipher/CSPRNG.
If you go via the method outlined in wikipedia for a CSPRNG (a block-cipher like
AES in counter mode) then the limitation of the cycle-length is the limitation of
the size of the counter. So in todays world of 64-bit computing that's 64-bits,
generally speaking.
Alternatively, you could use IBAA64 which is available from:
http://www.leopard.uk.com/IBAA64
(or any other good CSPRNG with a guaranteed cycle-length).
If DragonFlyBSD was to go down the stream-cipher/CSPRNG route (as opposed
to the block-cipher route which everyone else has chosen), I would like to point
out an improved version of the usual Stream-Cipher technique which I invented
and have called "Cipher-Packet";
The algorithm/implementation is available from:
http://www.leopard.uk.com/C12
Cheers !
--
Sincerely,
Robin Carey