OpenBSD Cryptographic Framework
The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an operating system. It is part of the OpenBSD Project, having been included in the operating system since OpenBSD 2.8 (December, 2000). Like other OpenBSD projects such as OpenSSH, it has been ported to other systems based on Berkeley Unix such as FreeBSD and NetBSD, and to Solaris and Linux. One of the Linux ports is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source Apache HTTP Server.
Cryptography is an essential tool for secure communication across open networks as well as for local security strategies such as encryption of storage media. It is computation-intensive and, where software implementations are used, presents a bottleneck to information flow. Specialist hardware such as cryptographic accelerators can mitigate the bottleneck problem by introducing parallelism—processing multiple information packets asynchronously—and by outperforming the more general central processor at specialist computational tasks. Certain kinds of hardware, hardware random number generators, can also produce randomness more reliably than a pseudo-random software algorithm by exploiting the entropy of natural events.
Unlike graphics applications such as games and film processing where similar hardware accelerators are in common use and have strong operating system support, the use of hardware in cryptography has had relatively low uptake. By the late 1990s, there was a need for a uniform operating system layer to mediate between cryptographic hardware and application software that used it. The lack of this layer led to the production of applications that were hard-coded to work with one or a very small range of cryptographic accelerators.
The OpenBSD Project has a history of integrating cryptography into the operating system core, and took the initiative in producing a framework for the provision of cryptographic hardware acceleration as an operating system service.
Application-level support is provided through the pseudo-device /dev/crypto, which provides access to the hardware drivers through a standard ioctl interface. This simplifies the writing of applications and removes the need for the application programmer to understand the operational details of the actual hardware that will be used.
Implications for other subsystems
The OpenBSD implementation of IPsec, the packet-level encryption protocol, was altered so that packets can be decoded in batches, which improves throughput. One rationale for this is to maximize efficiency of hardware usage—larger batches reduce the bus transmission overhead—but in practice the IPsec developers have found that this strategy improves the efficiency even of software implementations.
Many Intel firmware hubs on i386 motherboards provide a hardware random number generator, and where possible this facility is used to provide entropy in IPsec.
Backdoor allegations investigated
On 11 December 2010, a former government contractor named Gregory Perry sent an email to OpenBSD project leader Theo de Raadt alleging that the FBI had paid some OpenBSD ex-developers 10 years previously to compromise the security of the system, inserting "a number of backdoors and side channel key leaking mechanisms into the OCF." Theo de Raadt made the email public on 14 December by forwarding it to the openbsd-tech mailing list and suggested an audit of the IPsec codebase. De Raadt's response was skeptical of the report and he invited all developers to independently review the relevant code. In the weeks that followed, bugs were fixed but no evidence of backdoors was found.
Similarly named Solaris product
Oracle's proprietary operating system Solaris (originally developed by Sun) features an unrelated product called the Solaris Cryptographic Framework, a plug-in system for cryptographic algorithms and hardware.
- Keromytis, Wright, de Raadt and Burnside, Cryptography As An Operating System Service: A Case Study, ACM Transactions on Computing Systems, Vol 23, No 1, February 2006, pages 1-38, PDF
- Intel Corporation, 2008, OpenSSL and Apache--Software
- crypto(4) in OpenBSD manual
- de Raadt, Theo (2010-12-14). "Allegations regarding OpenBSD IPSEC". openbsd-tech mailing list. http://marc.info/?l=openbsd-tech&m=129236621626462&w=2.
- Holwerda, Thom (2010-12-14), "FBI Added Secret Backdoors to OpenBSD IPSEC", OSNews, retrieved 2011-12-13
- Ryan, Paul (2010-12-23), "OpenBSD code audit uncovers bugs, but no evidence of backdoor", Ars Technica (Condé Nast Digital), retrieved 2011-01-09