[OpenAFS] packet sniffing and file content

Jim Rees rees@umich.edu
Fri, 13 Jul 2001 10:58:04 -0400


  What options are available to protect file contents
  from packet sniffing?  Is this a concern?

This is a concern.  OpenAFS uses an algorithm called fcrypt, designed in
1988 by Ted Anderson.  It is very similar to des but is designed to be
faster in software.  It suffers both from a 56 bit key space and from a
vulnerability to differential cryptanalysis, which was unknown to the open
crypto community at the time.

I would like to see OpenAFS use something stronger.  OpenBSD has kernel
crypto now, and kernel crypto will soon be available in linux (if it isn't
already).

One of my other projects is nfsv4, and we have done a kernel gss for that
(most of the work happens in user space via upcalls, but bulk encryption
happens in the kernel).  Some day I would like to leverage that work to get
better crypto support in to OpenAFS.