From owner-freebsd-security@FreeBSD.ORG Mon Oct 7 19:56:52 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A6A685C6; Mon, 7 Oct 2013 19:56:52 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vb0-x236.google.com (mail-vb0-x236.google.com [IPv6:2607:f8b0:400c:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5749A2DB7; Mon, 7 Oct 2013 19:56:52 +0000 (UTC) Received: by mail-vb0-f54.google.com with SMTP id q14so3618590vbe.41 for ; Mon, 07 Oct 2013 12:56:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=qR0PQOdfZxFfdK8g1byy6kCtjvGKW1uFKY0DjOLEmKQ=; b=NDkCJtzpS3n3CQVs4o6EhwYBW3pcuZZOVeUky/auZ4cgEC/BvO/HFRHHpFqEpszy7U fKCbJJ4knTU72dQDYcp6+Eea2OtWfeWtjgZ+3+UrHwucY+l+PFr/9+fL3XCmOFQXRoty k5i5N6nYfNqH2gVAHBeD31ci9z/6Xi8SIRvKEBrntjNC4cNBkckEplvT3u41OKmI2Q+P hE3GgGarMzpxhJzXtA0HiguvhlwjmATof0b/PAig7yV1tAPa5Bq9ANSrI/l3Fwr7cIxj 79Q1uLCSBZab8novE062m6gXEKzzrdrMyru3Uw0W6Tt9OpsXWli1PPqpouzlQ0wdKaqE O22w== MIME-Version: 1.0 X-Received: by 10.220.94.206 with SMTP id a14mr3119008vcn.19.1381175811411; Mon, 07 Oct 2013 12:56:51 -0700 (PDT) Received: by 10.221.4.137 with HTTP; Mon, 7 Oct 2013 12:56:51 -0700 (PDT) Date: Mon, 7 Oct 2013 15:56:51 -0400 Message-ID: Subject: FreeBSD crypto and security meta [was: zfs review 4185 New hash algo] From: grarpamp To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Mon, 07 Oct 2013 20:09:35 +0000 Cc: pjd@freebsd.org, cryptography@randombit.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2013 19:56:52 -0000 > Date: Mon, 7 Oct 2013 11:44:57 +0200 > From: Pawel Jakub Dawidek > To: zfs@lists.illumos.org > Subject: Re: [zfs] [Review] 4185 New hash algorithm support > > On Mon, Oct 07, 2013 at 12:47:52AM +0100, Saso Kiselkov wrote: >> Please review what frankly has become a bit of a large-ish feature: >> http://cr.illumos.org/~webrev/skiselkov/new_hashes/ >> >> This webrev implements new hash algorithms for ZFS with much improved >> performance. There are three algorithms included: > [...] > > Personally I'd love to have an option to use HMAC/SHA256 for example > with secret key stored in pool. Currently in our product we put ZFS with > SHA256 on top of block-level disk encryption. I'd feel much better to > have proper data authentication using HMAC. At some point I may find > time to implement that based on your patch. With recent news renewing broad interest in self/peer examining the security of the entire spectrum of products... has the FreeBSD implementation of GELI/crypto/random published design papers, presentations and reviews? Are these collected centrally for easy reference by the community? Quick ref: https://www.freebsd.org/cgi/man.cgi?query=geli https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=9 https://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=4 https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4 https://www.freebsd.org/cgi/man.cgi?query=rndtest&sektion=4 Further, and more generally on the higher level meta topics we've seen... How is FreeBSD working with the community regarding possible updates to cipher suites, embedded crypto libraries, and the like? Similarly, how is it approaching the movement towards end-to-end toolchain integrity... from the repository, through deterministic builds, and on out to secure distribution and updates? This should be viewed not as a pointer but 'While we're on the topic, hey, how are the FreeBSD folks doing' :) Presumably this subthread could migrate to freebsd lists for those interested in following the details more closely.