From owner-freebsd-arch@FreeBSD.ORG Fri Dec 10 17:53:31 2004 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 960AA16A4CF for ; Fri, 10 Dec 2004 17:53:31 +0000 (GMT) Received: from VARK.MIT.EDU (VARK.MIT.EDU [18.95.3.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AA0D43D68 for ; Fri, 10 Dec 2004 17:53:31 +0000 (GMT) (envelope-from das@FreeBSD.ORG) Received: from VARK.MIT.EDU (localhost [127.0.0.1]) by VARK.MIT.EDU (8.13.1/8.13.1) with ESMTP id iBAHqiFA029060; Fri, 10 Dec 2004 12:52:44 -0500 (EST) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by VARK.MIT.EDU (8.13.1/8.13.1/Submit) id iBAHqh3p029059; Fri, 10 Dec 2004 12:52:43 -0500 (EST) (envelope-from das@FreeBSD.ORG) Date: Fri, 10 Dec 2004 12:52:43 -0500 From: David Schultz To: Colin Percival Message-ID: <20041210175243.GA28803@VARK.MIT.EDU> Mail-Followup-To: Colin Percival , freebsd-arch@FreeBSD.ORG References: <41B92CF3.2090302@wadham.ox.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41B92CF3.2090302@wadham.ox.ac.uk> cc: freebsd-arch@FreeBSD.ORG Subject: Re: Adding standalone RSA code X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 17:53:31 -0000 On Thu, Dec 09, 2004, Colin Percival wrote: > I'd like to add a new library for lightweight barebones RSA > computations, and associated commandline rsa-makekey, rsa-sign, > and rsa-verify utilities. > > To a certain extent, this duplicates existing functionality > (openssl), but I think my code has important advantages which > justify the duplication: > 1. It is lightweight (around 2% of the size of openssl), which > may allow it to be used in memory-limited environments, > 2. It is far more auditable, due to its smaller size, and > 3. It is designed for security rather than performance; I made > certain design decisions which result in my code being rather > slower than openssl as a result of a desire to avoid potential > attack vectors. > > My reason for wanting to add this code is that I'm using it > in FreeBSD Update (and recently portsnap as well) and this is > the first step towards migrating that into the base system. I'm not sure I agree with your point (2). My concern is that just because a library is small and open source doesn't mean it's secure. Consider, for instance, that Kerberos version 4 had design-level vulnerabilities that were unnoticed for well over a decade. The OpenSSL library has an advantage over yours in that it has been vetted by numerous cryptographers, owing to its popularity. Textbook descriptions of RSA are often deceptively simple, but turn out to have subtle flaws without the appropriate padding (e.g. OAEP) and careful key generation. Besides that, the OpenSSL developers have already been forced to address even more obscure problems such as timing analysis attacks. I don't mean to suggest that you're not aware of these issues, but this stuff can be tricky, and I've seen home-brewed cryptography (e.g. iterated hash construction) done wrong before. Moreover, your point (1) doesn't seem particularly relevant for FreeBSD. We don't target systems that lack sufficient memory for OpenSSL, and there are existing RSA implementations that are designed for embedded systems.