OpenBSD Cryptographic Framework

The OpenBSD Cryptographic Framework (OCF) is an open Application Programming Interface (API) specification for the uniform management of cryptographic hardware by an operating system. It is part of the OpenBSD Project, having been included in the operating system since OpenBSD 2.8 (December, 2000). Like other OpenBSD projects such as OpenSSH and OpenSSL, it has been ported to other systems based on Berkeley Unix such as FreeBSD and NetBSD, and to Solaris and Linux.^[1] The Linux port is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source Apache web browser.^[2]

Cryptography is an essential tool for secure communication across open networks as well as for local security strategies such as encryption of storage media. It is computation-intensive and, where software implementations are used, presents a bottleneck to information flow. Specialist hardware such as cryptographic accelerators can mitigate the bottleneck problem by introducing parallelism—processing multiple information packets asynchronously—and by outperforming the more general central processor at specialist computational tasks. Certain kinds of hardware, hardware random number generators, can also produce randomness more reliably than a pseudo-random software algorithm by exploiting the entropy of natural events.

Historically, unlike graphics applications such as games and film processing where similar hardware accelerators are in common use and have strong operating system support, the use of hardware in cryptography has relatively low uptake. By the late 1990s, there was a need for a uniform operating system layer for mediating between cryptographic hardware and application software that needed to use it. The lack of this resulted in applications that were hard-coded to work with one or a very small range of cryptographic accelerators.

The OpenBSD Project has a history of integrating cryptography into the operating system core, and took the initiative in producing a framework for the provision of cryptographic hardware acceleration as an operating system service.

Application-level support is provided through the pseudo-device /dev/crypto, which provides access to the hardware drivers through a standard ioctl interface. This simplifies the writing of applications and removes the need for the application programmer to understand the operational details of the actual hardware that will be used.

The OpenBSD implementation of IPsec, the packet-level encryption protocal, was altered so that packets can be decoded out of order, which improves throughput. Many Intel firmware hubs on i386 motherboards provide a hardware random number generator, and where possible this facility is used to provide entropy in IPsec.

Because OpenSSL uses the OCF, systems with hardware that supports the RSA, DH, or DSA cryptographic protocols will automatically use it without any modification of the software.

On 11 December 2010, a former government contractor named Gregory Perry sent an email to OpenBSD project leader Theo de Raadt alleging that the FBI had paid some OpenBSD ex-developers 10 years previously to insert backdoors into the OCF. Theo de Raadt made the email public on 14 December by forwarding it to the openbsd-tech mailing list and suggested an audit of the IPsec codebase.^[3][4] De Raadt's response was skeptical of the report and he invited all developers to independently review the relevant code. In the weeks that followed, bugs were fixed but no evidence of backdoors were found.^[5]

• Cryptography in OpenBSD, overview document provided by the OpenBSD project.
• OCF Linux Project.

This security software article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e