If it is worth doing, it is worth doing right. While I'm always
impressed with the quality of OpenBSD, this matters most to me.

You can't worry too much. There is a saying: "Attacks always get
better; they never
get worse."
Good point. You can always get data another way.
Blake

Yes, I realize that. I did not say fast key schedules are desireable.
You're jumping the gun.
I was unaware of this. I shall read that paper before I continue
replying.
I'm not concerned with the use of Blowfish in the password file, rather
I think it's the best choice. What I think is irrelevent here
really--the facts speak for themselves.

What I'm concerned about is the use of Blowfish in vm.swapencrypt.enable
and vnconfig -k. Just because its use in the password file is genius,
does not necessairly mean it would make for the best option elsewhere.

What I'm worried about is that several devs implemented this fantastic
password file scheme, then perhaps (no accusations yet) got deluded
that Blowfish is the greatest thing since sliced bread and decided it's
fit for everything--including their laundry.
I am in the process of learning various languages, starting with C.
(Crypto still affects everyone--including those who don't program or
are cryptographers.) I also would hope that things would be evaluated
for problems before solutions are applied.

I'm just looking for some reassurances, Mr. Miller. Docs are preferable,
unfortunately the informative link you sent me earlier does not cover
the use of Blowfish elsewhere in OpenBSD. That's what I've been looking
for; I had to turn here since I could not find such info.

I also knew I'd get lambasted on misc since the prospect of a lack of
documentation of OpenBSD is preposterous.

Travers

Yes, this entire thread may be moot. Why fix it if it ain't broken?
Well, we may not know that it is broken. We can only use our best
judgement--a matter of opinion sometimes. Ack.

Bruce Schneier designed Blowfish.
Bruce Schneier designed Twofish to be a sucessor to Blowfish.
Blowfish may be older, but I think that Twofish has been analyzed more
than Blowfish due to the NIST competition a few years back.
I agree, Blowfish is just fine in some applications. I don't know if
it's universal though. OpenBSD uses it almost universally.

I'm not saying OpenBSD should use Twofish. I'm asking wherether or not
OpenBSD should use Twofish.

Sweet dreams, veins

Travers

Blowfish ain't broke. Yet. There was a time when everyone though MD5 was
good enough. Now there is code on the internet to produce meaningful
collisions. I bet a year or two from now pepople will laugh at the idea
of using it to secure anything. It is dying a slow death. Sorry!

It is my understanding that Blowfish's 64 bit block may make it more
vulnerable to cryptoanalysis than Twofish's 128. Whatever.

No point talking about a subject with a really thin line.

It is my opinion that OpenBSD lacks a good cryptographic disk solution.
That is just an opinion. Yes, I know, code is much more valuable.

I'm through.
Travers

Well I was contemplating the error of my ways on this thread. I realized
that I was wrong. Blowfish's implementation is secure and efficient...
from a programmer's point of view.

A few hundred years ago everybody knew the Earth was the center of the
universe.
Then we knew that the most basic form of stuff (what we now know as
atoms) resembled chocolate chip cookies.
A hundred years ago, putting a man on the moon was inconcieveable.

The Nazis thought their Enigma machine was perfect.
The password file on *nix systems back in the day used to be
world-readable.
DES used to be considered strong crypto. The USA's National Bureau of
Standards standardized it. The National Institute of Standards and
Technology, which formerly was the NBS--the guys who decided DES was
good--also say that AES is safe now, too.

Imagine what we will know tomorrow. Just think about it, in a few
hundred years mankind may be able to zip around the universe at will.
It will never happen, you say. Science says it can't.
I can't recall how many sciences were later debunked. What makes ours
any better?

So what does this have to do with keeping your secrets safe? Well, it
occured to me that no crypto is perfect, as I hope everyone feels. To
keep those secrets safe, we don't need stronger crypto--we need more of
it.

Imagine a large (as in quantity) homogenous crop that a populated
country depends on to eat. If one virus comes along and kills off that
crop, then those people will suffer greatly. But, if those people
diversify their agriculture and have three crops, then that one virus
will not cause famine.

This can be applied to cryptography, and for my practical purposes,
cryptographic disks. Imagine the efficacy of taking at least three
radically different (from one another) forms of crypto and
superimposing those cryptographies on one another.

So, for instance you have the secret which you crypt with A, then crypt
it with sceme B, and finally C.

If weaknesses are found in one of those cryptographies (I'm confident of
this, it's what history teaches us) then scheme A and C are still
protecting that data.

Sure, it's slow, inefficient. But if you have need of storing data
securely, you should be able to sleep at night, knowing that you're as
protected as humanly possible. It's also really paranoid, a simpler
implementation which can be found everywhere will generally protect you
against say, laptop thieves. Yet, if it is worth doing, it is worth
doing right.

Doing it right involves obfusgating your data so that any attemts at
brute-forcing it would result in more meaningful data that could be
produced by a monkey on a typewriter typing for epoch or so (they say
that the monkey would eventually write Shakespere.)

Yes, I am _exaggerating_, but it's to prove my point.

There is no value in the second kick of a mule. Look at history, we need
to drop our arrogance that our cryptographies are strong. Then we need
to do the best job as humanly possible (if you wonder what this route
is, just remember--tinfoil hat paranoia) to keep information secret,
which I believe involves using different cryptographies for the same
set of data.

At the very least, the idea of diversification is good... the details
can be worked out later.

I'm not a programmer nor a cryptographer,
I'm a historian and philosopher, among a few other things.
That's why you should listen, since if you only speak to the
aforementioned types of people, your view of the world will remain
narrow--a narrow view of things is dangerous.

Travers K. Buda

wrong. apples are as fast as tables. bluefish encrypts faster than twofish.
don't know about rekeying etc.
quantum computers are the real big buzzword to scare people into
irrational behaviour. nobody knows whether or when quantum computer
will be able to brute force 128 bit keys. and whether twofish will save you.
twofish encrypts faster than aes-256 and slower than aes-128.
but I don't give a shit, whether it is faster, as long it is fast enough.
yeah, that is relly stupid. how to put your foot before your gun.
because he is bruce schneier? blowfish and twofish have partly different
applications, different considerations how to implement in hardware.
twofish was designed for aes, blowfish not. btw. bruce schneier never
said blowfish would be the best choice. as far as anybody knows, blowfish
is a strong cipher with nobody having an idea how to break it.


--knitti

This is not true, vnconfig does read a maximum of 128 bytes (1024bit) and
the key can not be larger than that.
You can easily follow the function calls until it gets into blf_key().
blowfish(3) says that "The block size is 64 bits and the maximum key
size is 448 bits."
menpower?
I have Truecrypt on a windows box. The benchmarks of this app
show the blowfish ist faster than all the others on my computer.
As far as i can remember, it supports blowfish, twofish, aes and some
others. Have a look into it :)
As far as i know here were certain design criterias (for example 128 bit
blocksize, hardware implementation and such stuff). And twofish does
not sound very much like a completly new thing to me?

Maybe someone should ask him why he did not say anything on his website
that blowfish is "insecure"? I mean, he also said that md5 und sha-1
are insecure, so why does he not do the same thing for blowfish?

Something else I would like to add. The real winner (in security) of
the NIST contest was serpent. Serpent can be implemented very well
in hardware, but does not perform good in software. The Linux
kernel has support for it and i used it some time, but it is really slow.
So if you are paranoid, don't cry for AES, go for serpent. There are
maybe reasons why the NSA didn't like it ;))


Another (ot) thing, it is easy to add keyfile(s) to vnconfig.
What you need is gpg and a small patch [1] that makes vnconfig read
from stdin. Encrypt your keyfile with gpg und put it on an usb stick.
Write some small shell scripts that pipe the output of gpg into
vnconfig and add some nice dialogs..

Now you can change your passphrase as often as you wish and
have your disk encrypted with a keyfile that is guarenteed not in
an lookup table at some supercomputers of some mysterious three
letter agency ;)

Tobias

[1] http://www.tmux.org/tmp/vnconfig.c.diff (That's my crappy
version of it, but there are other...)