tech-security: hardware crypto (fwd)

Subject: hardware crypto (fwd)
To: None <tech-security@netbsd.org>
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
List: tech-security
Date: 04/11/2000 17:05:55
  by mail.netbsd.org with SMTP; 11 Apr 2000 15:05:53 -0000
	by rfhs8012.fh-regensburg.de (8.9.3/8.9.3) with ESMTP id RAA06227
	for <tech-security@netbsd.org>; Tue, 11 Apr 2000 17:05:27 +0200 (MET DST)
Date: Tue, 11 Apr 2000 17:05:55 +0200 (MET DST)
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
Reply-To: hubert.feyrer@informatik.fh-regensburg.de
To: tech-security@netbsd.org
Subject: hardware crypto (fwd)
Message-ID: <Pine.GSO.4.10.10004111705470.23042-100000@rfhpc8320.fh-regensburg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


FYI

-- 
Microsoft: "Where do you want to go today?"
Linux:     "Where do you want to be tomorrow?"
BSD:       "Are you guys coming, or what?"

---------- Forwarded message ----------
Date: Tue, 11 Apr 2000 06:24:49 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Reply-To: misc@openbsd.org
To: announce@openbsd.org
Subject: hardware crypto

OpenBSD-current can now use hardware cryptographic support for IPSEC
performance boosting.

Currently, only cards using the HiFn 7751 chip can be used, and at
least one place you can buy such a card is http://www.powercrypt.com,
for about $300 USD or so if I recall (I got mine for free :-). This
Hifn chip is an IPSEC-oriented DES/3DES and SHA1/MD5 hmac engine;
ie. only symmetric cryptography.

The performance enhancement appears to be fairly significant, but it
also seems that perhaps we can do better.  We've had a hard time
measuring performance since all the developers involved only have one
card so far (we've actually held back talking about this while waiting
for more cards, but it's time to spill the beans).

A large part of the effort to make this work required a decoupling the
network layer from the cryptography, so that crypto operations did not
have to be executed "in line".  Until very recently, our IPSEC layer
(and KAME is similar in this respect, actually it is easier to write
an IPSEC stack the other way) need to do cryptography operations in
the middle of it's task.  Being able to defer these operations to a
later time slightly improves performance on it's own, and now has
permitted us to take advantage of these cards.

Further work will now happen.  We wish to support other products (ie.
IRE, Bluesteelnet, perhaps even 3COM or PCC-ISES if they would open
their minds).  Some crypto chip vendors are being extremely friendly
to us.  If anyone wants to help write drivers, get in touch.

We also hope to add more parts to our cryptography framework so that
it can supply RSA/DSA type operations for chips that support that, so
that OpenSSL can use the framework, and thus enhancing everything from
https to ssh performance.  We have grand schemes in mind.

If you order a card from www.powercrypt.com, tell them you intend to
use it with OpenBSD.  I have heard rumours they are allowed to export
it.....