The OpenCA Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenCA tookit and its related documentation.
An interesting and amusing introduction to cryptography.
A Creative Commons book on implementing and cracking ciphers using Python
Blowfish is a freely-redistributable symmetric key block cipher of the "Feistel" variety that is much faster than either DES or IDEA, and which while it has not had as much publicized official analytical attention, appears to be fairly secure. Various analyses have been pointed at it, and it has not yet been found wanting.
After a preparatory set of iterations to set up "boxes" corresponding to the key, it uses operations such as XOR, ADD, MUL that are generally quite efficient on common processors and thus is amenable to compiler optimization so that it is quite efficient on "general purpose" computer hardware (unlike DES).
The default key length is 128 bits. Unlike DES, the key can be readily extended to longer lengths (between 32 and 448 bits); it is not proven that longer keys are proportionately more effective, although that seems likely.
A number of companies are selling (non-exportable) products based on Blowfish, typically with 128 bit keys.
Bruce Schneier, the creator, is a regular participant in the newsgroup sci.crypt, and while there have been some discussions of possible improvements, they mostly represent ways of making the cipher more robust despite smaller numbers of "rounds" of the algorithm, the point being to make it run faster without losing security.
Terry Ritter is in the business of providing custom block and stream ciphers. He argues that there should be many crypto algorithms and that enterprises should continually sponsor migration to new ones. This has the advantage that the algorithms become "moving targets" unlike the relatively static ciphers commonly in use. If it turns out that a particular algorithm is easily broken, the infrastructure makes it easy to migrate to another "better" algorithm. And if you're on the "Ritter Cipher of the Month" plan, you're migrating anyways.
He's got a very nice glossary on cryptographic terminology.
SSL = Secure Socket Layer; this is a modified BSD socket protocol that uses RSA / MD5 to authenticate users and transfer keys around, and then uses a block cipher (RC4?) to transfer data back and forth.
This allows easy implementation of secure network data transfers; all data travels in encrypted form. Common applications include:
Secure versions of FTP and telnet ("Normal" versions will expose plaintext versions of passwords to any packet sniffers that might come between client and server.)
Implementations and applications include:
SSH is a "secured" shell that essentially implements the telnet protocol atop SSL. This allows secure Unix login sessions across the insecure Internet.
It would be highly desirable to see equivalents to this for notable protocols such as POP3 (mail access) and FTP, at least for authentication, as they normally involve passing unencrypted passwords in "raw" form across the Internet. This is not generally a wise idea...
Amazon present Applied Cryptography : Protocols, Algorithms, and Source Code in C; Bruce Schneier; Paperback
Highly Distributed Computational Projects that have included ones to crack DES and RC5 ciphers.
A new, secure password file format that takes the place of the old-style crypt() password-hashing algorithm. Developed and distributed by Stanford, the EPS uses exponentiation modulo a prime number to convert passwords into "hashed" verifiers. This makes the file several orders of magnitude more difficult to "crack" (i.e. five guesses/sec instead of 5000 guesses/sec). EPS is particularly well-suited for RedHat Linux installation, because it is available as a pair of PAM modules
Introduced by Sun Microsystems for use with Solaris, and implemented for Linux by Red Hat Software, PAM allows integration of various authentication technologies such as Kerberos, RSA, smart cards and DCE into system entry services such as login, passwd, rlogin, telnet, ftp, and su without changing any of these services.
There are a number of web browsers that do not have SSL functionality integrated into them. Some (notably Lynx) allows you to define a "secure proxy" through which SSL requests can go. The proxy (and edssl is an implementation of such a daemon) would be a program that runs on a local host that knows how to speak the SSL protocol, and thus manages the connection to the remote host.
In order to have Lynx know how to use EDSSL, one would set up the
which assumes of course that EDSSL has been configured to use port
mcrypt is intended to be a replacement of the old Unix crypt, released under the GPL. It supports a number of encryption algorithms including many of the AES candiates as well as the traditional "Enigma-like" crypto originally used on Unix.
EGD runs on various Unix systems and corresponds to the Linux /dev/random which collects together "entropy" from various sources of random events, stirring together an "entropy pool" from which one may extract quite random values. EGD provides equivalent functionality to /dev/random on other platforms.
HAVEGE (HArdware Volatile Entropy Gathering and Expansion) is a user-level software unpredictable random number generator for general-purpose computers that exploits modifications of the internal volatile hardware states as a source of uncertainty.
Not freely usable...
It's interesting to see the lifecycles of the popularity and later deprecation of cryptograpahic hash algorithms.
A BSD-licensed implementation of TrueCrypt.
This isn't precisely a crypto "accelerator"; it is a USB-based device that seeds one's entropy pool with true random numbers. Very useful if you're generating a lot of cryptographic keys that chew up entropy from /dev/random.
There are a variety of implementations of "encrypted filesystems," where a directory or other set of files are stored in encrypted form, but with some public interface whereby once you connect to the filesystem, you can transparently access the encrypted data as if it were a regular filesystem containing a set of unencrypted files.
Supports encrypted filesystems on Linux and Win32 platforms; uses your choice of DES , Blowfish, Twofish, GOST encryption.
StegFS - A Steganographic File System for Linux
PPDD is a device driver for Linux. It allows you to create a device which looks like a disc partition. You can then create an ext2 filesystem on this device. The data is in reality written to and read from a real disc - either a partition or a file on a normal filesystem. Everything on the disc is encrypted. The encryption algorithm is Blowfish . Clearly more than just a device driver is involved in this and I have tried to make the overall system secure and foolproof.
There were originally links to virtually all of the proposals; many have since "aged" off the list, and as Rijndael "won" the competition, others are of somewhat diminished interest.
This has, as "progeny", some additional password "safes":
This is a password manager designed with a view to the Unix Philosophy.
A password manager using OpenPGP (or GnuPG) to store passwords and context strings in a single encrypted file, with capability to extract them without visibly displaying them onscreen.