Crispin Cowan wrote: > > Marc Mutz wrote: > > > <snip> > > > Oh yes, it would be nice if the library didn't insist on inventing its own > > > big-number support, but used the existing GMP library. > > <snip> > > > > You won't ever be able to get public-key encryption into the kernel > > proper (and there is no reason to try), so what do you want big number > > support for? > > Actually, we already have both bignum support and public key crypto in the > kernel for this project http://immunix.org/cryptomark.html > > We use it to do crypto certification of executables, so as to prevent trojan > horse attacks. > > It will be released under the GPL, as it is a union of the Linux kernel and the > GPG code body. Unfortunately for freeswan, it has American taint. Methinks this is no longer FreeS/WAN-specific and should continue on the linux-crypto@xxxxxxxxxxxx list. We need quite a lot of crypto in the kernel: FreeS/WAN currently has 3DES, and HMAC authentication based on SHA and MD5. It is almost certain to add Rijndael at some point and likely any successor to SHA that NIST standardises as well. The RFCs allow other algorithms for both authentication and encryption, and some IPSEC implementations support them (e.g. PGPnet uses CAST-128) but FreeS/WAN is unlikely to use those. Note that IPv6 requires IPSEC, so at some point this all needs to be in the standard kernel. Last I looked, /dev/random could use SHA or MD5 for the main stuff, but for some reason also had MD4 included in the TCP nonce code. Your stuff needs bignums and public key operations. Methinks these are necessary for any signature scheme. Will DNS security require similar things, or is all its key validation done in user space? Do the encrypting file systems require anything besides a good block cipher? So what does it take to get a library into the kernel that does at least: 3DES Rijndael SHA hash (initialise with fixed constants) SHA HMAC (initialise with secret key material) public key primitives (probably signature only) What else is necessary or desirable? Would the maintainers of the various packages use such a library? Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
