Date: Fri, 5 Sep 2014 15:25:59 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: freebsd-security@FreeBSD.org Subject: deprecating old ciphers from OpenCrypto... Message-ID: <20140905222559.GO82175@funkthat.com>
next in thread | raw e-mail | index | archive | help
As I've been working on OpenCrypto, I've noticed that we have some
ciphers that OpenBSD does not... As we haven't had a maintainer for
the code, no one has been evaluating which ciphers should be included...
I would like to document the following ciphers as depcreated in 11, and
remove them for 12:
Skipjack: already removed by OpenBSD and recommend not for use by NIST
after 2010, key size is 80 bits
CAST: key size is 40 to 128 bits
As you can see, both of these ciphers weak and we should not encourage
their use. Their removal from OpenCrypto will practically only remove
them from their use w/ IPSec. Most other systems are userland and will
use OpenSSL which is different.
It would be possible for parties that need support to make them a
module, but right now, if you compile in crypto into your kernel, you
get all of these ciphers...
Comments?
Thanks.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140905222559.GO82175>