From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 22:26:01 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6EC0C263 for ; Fri, 5 Sep 2014 22:26:01 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4953B1844 for ; Fri, 5 Sep 2014 22:26:00 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s85MPxME024615 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Sep 2014 15:25:59 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s85MPxIC024614 for freebsd-security@FreeBSD.org; Fri, 5 Sep 2014 15:25:59 -0700 (PDT) (envelope-from jmg) Date: Fri, 5 Sep 2014 15:25:59 -0700 From: John-Mark Gurney To: freebsd-security@FreeBSD.org Subject: deprecating old ciphers from OpenCrypto... Message-ID: <20140905222559.GO82175@funkthat.com> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Fri, 05 Sep 2014 15:26:00 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2014 22:26:01 -0000 As I've been working on OpenCrypto, I've noticed that we have some ciphers that OpenBSD does not... As we haven't had a maintainer for the code, no one has been evaluating which ciphers should be included... I would like to document the following ciphers as depcreated in 11, and remove them for 12: Skipjack: already removed by OpenBSD and recommend not for use by NIST after 2010, key size is 80 bits CAST: key size is 40 to 128 bits As you can see, both of these ciphers weak and we should not encourage their use. Their removal from OpenCrypto will practically only remove them from their use w/ IPSec. Most other systems are userland and will use OpenSSL which is different. It would be possible for parties that need support to make them a module, but right now, if you compile in crypto into your kernel, you get all of these ciphers... Comments? Thanks. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."