I`ve problems to understand the sense of the -K option wich was
implemented into vnconfig of OpenBSD 4.0.
Do I understand it correctly if I assume the folloring:
- I can now specify the rounds used by Blowfish
- Wich are (should) limited up to 16 rounds
- I have to specify a SALT file
- Wich gets handled like a certificate to authenticate myself in
combination with the password (??)
- So it`s a 2 factor authentication?
Or is the SALT from the file realy used for the blowfish initialisation?
man vnconfig tells me that svnd`s (I`m using one snvd currently) gets
encrypted but it does not tell me how many rounds where used for
blowfish or how strong the encryption is (somebody told me Blowfish
128Bit). The amount of rounds used can be a keyfactor if it deals with
pot. decryption by others (PUT_YOUR_FAVORITE_SERVICE_HERE).
*comment*
The manpage should tell the user how many rounds are used for svnds and
propably how to create the SALT file.
F.e. for https all needed steps are descriped in the manual
*comment*
Is my assumtion correct that the normal svnds do use Blowfish with
128Bit (to specify more Bits would be cool.. like 256, Blowfish allows
up to 448Bits) and a limited amounts of rounds (not 16)?
I aks because the passwords in OpenBSD do not get encrypted with 16
rounds by default (so I don`t know how many rounds where used for
svnds but I would bet not 16 rounds) wich means:
*cuted from wikipedia, other ources are avaiable via a google search*
In 1996, Serge Vaudenay found a known-plaintext attack requiring 28r +
1 known plaintexts to break, where r is the number of rounds. Moreover,
he also found a class of weak keys that can be detected and broken by
the same attack with only 24r + 1 known plaintexts. This attack cannot
be used against the full 16-round Blowfish; Vaudenay used a
reduced-round variant of Blowfish. Vincent Rijmen, in his Ph.D. thesis,
introduced a second-order differential attack that can break four
rounds and no more. There remains no known way to break the full 16
rounds, apart from a brute-force search. [1]
*cut*
Old mashines may wont be happy about 16 rounds Blowfish, that`s for
sure but it would be safer (as far as I know during reading some crypto
books) and the wikipedia article (wikipedia - blowfish) points to that
issue (reduced amounts of rounds) too.
I`ve also read somewhere (tech@ ?) that somebody talked about using the
crypto-framework for svnds. Is there active development in that sector
(I would buy a crypto-card just for my SVNDs)?!
Kind regards,
Sebastian
