[Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox

cgw993 at aol.com cgw993 at aol.com
Sat Sep 14 00:18:31 UTC 2013


Sorry for the basic question but is Freedombox considered to be a collection
of hardware or software or is it the name of the project itself?

Q #2 - Would it be essentially impossible or completely impractical  for the
freedombox to contain only free software, the firmware, drivers, algorithms,
code, everything free? The device cannot be secured if it contains any non
free software(code, firmware, libraries, anything) right?

Q #3 - Does the Free Software Foundation approve of the Freedombox?

Again, not an expert in this subject at all, but since we are talking about
security I wanted to bring up WEP.   My limited understanding of WEP is that
it was an insecure encryption method used a decade or more ago and is still
offered on many routers.   The vulnerability as I understand it was that the
router would broadcast part of the key itself along with something else at a
certain interval, I would guess many times per second.   After a short
while, the router would broadcast a different part of the key and then
eventually if you listened long enough you would have all the parts to the
key.  During the broadcast of these key pieces, was the order of the key
characters preserved so that assembling the  original key was a relatively
simple matter if you listened long enough? If the answer to that is yes, is
the reason that this extremely obvious vulnerability was not discovered
because the algorithm used and/or the code was not made available for the
public to view? It almost seems like an intentional hole in the security.


-----Original Message-----
From: Freedombox-discuss
[mailto:freedombox-discuss-bounces+cgw993=aol.com at lists.alioth.debian.org]
On Behalf Of Sandy Harris
Sent: Friday, September 13, 2013 4:09 PM
To: freedombox list
Subject: [Freedombox-discuss] CAs and cipher suites for cautious servers
like FreedomBox

Jonas Smedegaard <dr at jones.dk> wrote:

> Would be nice if those knowledgeable about crypto could propose a 
> shortlist of purposes, and corresponding CAs and cipher suites.

I see no reason offhand for a Box to trust any CA. That is a problem for the
browsers, not a server. To identify the box to browsers, we could create a
Box project CA, get certs from some existing CA, or use self-signed certs.
I'd favour the latter because it is simpler, but then we need to document a
requirement that browsers check for cert changes. Without that check,
self-signed certs can be replaced by an attacker.

As for cipher suites, we should very strongly prefer ones that offer perfect
forward secrecy:
https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-import
ant-web-privacy-protection

The obvious cipher to use is AES, but it would be preferable to provide some
other options as well.

"When asked to implement AES, the implementer might include the other
finalists - Twofish, Serpent. RC6 and MARS - as well. This provides useful
insurance against the (presumably unlikely) risk of someone finding a good
attack on AES. Little extra effort is required since open source
implementations of all these ciphers are readily available ... All except
RC6 have completely open licenses."
http://en.citizendium.org/wiki/Block_cipher#The_AES_generation

The obvious hash to use is SHA-2, probably along with the plug-in compatible
SHA-3.

> Anyone knowledgeable about crypto that can help out?

See also old discussion in this thread, and likely elsewhere too:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-April/00143
9.html

_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss




More information about the Freedombox-discuss mailing list