On Wed, Aug 26, 2009 at 09:46:11PM -0400, My List Mail wrote:
> Been waiting for a while to see some current encryption added to
> openbsd. Surprised it has not been already, and frankly find it weak
> that the 'worlds most secure OS' does not have current encryption. Why
> is this?
>
> I use vnconfig for encryption, which uses Blowfish. Blowfish is old,
> early 1990's. 64-bit block size. I realize there is no known
> cryptanalysis of it out in the public domain. But I would feel safer
> using AES (Rijndael), Serpent, or Twofish. Something with a 128-bit
> block size (and 256-bit key). Something that is recommended and in use
> as a current standard. Even Bruce Schneier, blowfish's creator has
> recommended that a stronger cipher be used.
>
> "At this point, though, I'm amazed it's still being used. If people
> ask, I recommend Twofish instead."
> from
> http://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful?pp=1&fp=4194304&fpid=1
> on page 3 of article
>
> He also recently blogged about some attacks on AES, although none are
> effective against all 14 rounds
>
> What cipher is used to protect confidential information on the SECRET
> and TOP SECRET levels? Its not blowfish, its AES-256.
>
> I love OpenBSD, been using it since 3.3. Bought my 3.6 CD set and a
> few t-shirts to support the project (Was surprised to read recently
> that t-shirts do not directly support the project. Something else that
> needs to be fixed. I know I'll buy more t-shirts, but CD sets are
> doubtful) Tried to donate some old mac ppc hardware to support the
> project, but never got a response from developers. I want to continue
> using it and supporting it. But the operating system that is so
> focused on security needs some cipher updates. Options for people to
> choose from, not just old blowfish.
>
> I am writing this because i am torn. On one end, the OS I love, am
> familiar with, and includes so many great security features, by
> default. On the other end, is this concern about encryption and
> openbsd's lack of it. I am considering using any linux flavor, because
> they all support AES(Rijndael) as well as the the most popular
> finalists for AES, like Serpent and Twofish. I want to use OpenBSD,
> but need to use the AES cipher. I do not feel safe with just blowfish.
> Blowfish just does not 'cut it'
>
> Please update the OS to include these new encryption standards.
>
> If someone can explain why openbsd still only uses blowfish, after all
> this time, that would be helpful too. If this is the case, it is time
> for me to look for a secure operating system. Something with ciphers
> that are current, relevant, and still recommended for use
>
> J-BSD
If you feel so strongly this is needed, get involved.
-Otto
