Re: Hardware Crypto Offload on Kirkwood (SheevaPlug)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/24/2011 07:05 PM, Peter Robinson wrote:
> On Tue, May 24, 2011 at 6:11 PM, Andrew Haley<aph@xxxxxxxxxx>  wrote:
>> On 05/23/2011 04:12 PM, Gordan Bobic wrote:
>>> omalleys@xxxxxxx wrote:
>>>
>>>> My question, is how hard is this to implement the hardware support
>>>> non-openssl programs.
>>>
>>> Not particularly hard if you're writing your own crypto implementation
>>> anyway, but there's a lot to be said for just linking against OpenSSL.
>>> It's probably safer to link against the library that has a lot of eyes
>>> on it than it is to implement your own.
>>>
>>>> OpenAFS could use this as it can use a lot of DES
>>>> encryption, but it uses its own DES implementation. It also happens to
>>>> be the only one I can think of off the top of my head that uses its own
>>>> implementation. It would be nice to have.
>>
>> gpg seems to use its own AES implementation that's slower than SSL's.
>> It would certainly be nice to fix that to use acceleration.
>
> It would be better to use nss as it has the option of all the various
> fips certifications which would be useful for gpg.

Just out of interest, what is the "fips" option to configure on OpenSSL for?

> Alternatively I would think it would be better to use the HW crytpo
> user interface directly so you get HW acceleration if it avail or
> fallback if its not.

Sure, just as OpenSSL does. The point here was that if it can be built 
to link against OpenSSL, it doesn't have to modify it's bundled crypto 
implementation for options with all possible crypto engines.

> I'd personally prefer not to use openssl for gpg
> as its not the most secure beast.

The issue here seems to be philosophical. The simple fact is that we 
trust so much to OpenSSL we might as well save ourselves some memory and 
effort of reimplementing the wheel and maintaining that reimplemented 
wheel. Considering we already trust ssh and https in almost all 
instances to OpenSSL, I think the issue is pretty academic.

One other thing to consider is that the reason OpenSSL gets 
cryptanalyzed so much is specifically because it is so popular. It also 
has a lot of eyes on it making sure it is tight and stays that way. IMO, 
using something else is bordering on security through obscurity - and 
that shouldn't be encouraged.

Gordan
_______________________________________________
arm mailing list
arm@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/arm
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux ARM (Vger)]     [Linux ARM]     [ARM Kernel]     [Fedora User Discussion]     [Older Fedora Users Discussion]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

Powered by Linux