The OpenCA Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenCA tookit and its related documentation.
pyCA - Software for running a certificate authority, written in Python.
An interesting and amusing introduction to cryptography.
Hacking Secret Ciphers with Python
A Creative Commons book on implementing and cracking ciphers using Python
Blowfish is a freely-redistributable symmetric key block cipher of the "Feistel" variety that is much faster than either DES or IDEA, and which while it has not had as much publicized official analytical attention, appears to be fairly secure. Various analyses have been pointed at it, and it has not yet been found wanting.
After a preparatory set of iterations to set up "boxes" corresponding to the key, it uses operations such as XOR, ADD, MUL that are generally quite efficient on common processors and thus is amenable to compiler optimization so that it is quite efficient on "general purpose" computer hardware (unlike DES).
The default key length is 128 bits. Unlike DES, the key can be readily extended to longer lengths (between 32 and 448 bits); it is not proven that longer keys are proportionately more effective, although that seems likely.
A number of companies are selling (non-exportable) products based on Blowfish, typically with 128 bit keys.
Bruce Schneier, the creator, is a regular participant in the newsgroup sci.crypt, and while there have been some discussions of possible improvements, they mostly represent ways of making the cipher more robust despite smaller numbers of "rounds" of the algorithm, the point being to make it run faster without losing security.
Ciphers By Ritter: Cryptography and Technology
Terry Ritter is in the business of providing custom block and stream ciphers. He argues that there should be many crypto algorithms and that enterprises should continually sponsor migration to new ones. This has the advantage that the algorithms become "moving targets" unlike the relatively static ciphers commonly in use. If it turns out that a particular algorithm is easily broken, the infrastructure makes it easy to migrate to another "better" algorithm. And if you're on the "Ritter Cipher of the Month" plan, you're migrating anyways.
He's got a very nice glossary on cryptographic terminology.
SSL = Secure Socket Layer; this is a modified BSD socket protocol that uses RSA / MD5 to authenticate users and transfer keys around, and then uses a block cipher (RC4?) to transfer data back and forth.
This allows easy implementation of secure network data transfers; all data travels in encrypted form. Common applications include:
Transmission of confidential data such as credit card IDs between web browsers and web servers;
Secure versions of FTP and telnet ("Normal" versions will expose plaintext versions of passwords to any packet sniffers that might come between client and server.)
Implementations and applications include:
SSH is a "secured" shell that essentially implements the telnet protocol atop SSL. This allows secure Unix login sessions across the insecure Internet.
It would be highly desirable to see equivalents to this for notable protocols such as POP3 (mail access) and FTP, at least for authentication, as they normally involve passing unencrypted passwords in "raw" form across the Internet. This is not generally a wise idea...
fsh -- Fast remote command execution (Secured using SSL connection)
Amazon present Applied Cryptography : Protocols, Algorithms, and Source Code in C; Bruce Schneier; Paperback
Highly Distributed Computational Projects that have included ones to crack DES and RC5 ciphers.
SRP - Exponential Password Suite (EPS)
A new, secure password file format that takes the place of the old-style crypt() password-hashing algorithm. Developed and distributed by Stanford, the EPS uses exponentiation modulo a prime number to convert passwords into "hashed" verifiers. This makes the file several orders of magnitude more difficult to "crack" (i.e. five guesses/sec instead of 5000 guesses/sec). EPS is particularly well-suited for RedHat Linux installation, because it is available as a pair of PAM modules
PAM - Pluggable Authentication Modules
Introduced by Sun Microsystems for use with Solaris, and implemented for Linux by Red Hat Software, PAM allows integration of various authentication technologies such as Kerberos, RSA, smart cards and DCE into system entry services such as login, passwd, rlogin, telnet, ftp, and su without changing any of these services.
edssl081a - an SSL "Proxy Server/Daemon"
There are a number of web browsers that do not have SSL functionality integrated into them. Some (notably Lynx) allows you to define a "secure proxy" through which SSL requests can go. The proxy (and edssl is an implementation of such a daemon) would be a program that runs on a local host that knows how to speak the SSL protocol, and thus manages the connection to the remote host.
In order to have Lynx know how to use EDSSL, one would set up the
environment variable:
export https_proxy=http://localhost:4443/
which assumes of course that EDSSL has been configured to use port
4443.
Counterpane: A Self Study Course in Block Cipher Cryptanalysis
The Solitaire Encryption Algorithm
Designed for a book by Neal Stephenson, this was designed by Bruce Schneier as a secure crypto scheme that uses a deck of cards.
mcrypt is intended to be a replacement of the old Unix crypt, released under the GPL. It supports a number of encryption algorithms including many of the AES candiates as well as the traditional "Enigma-like" crypto originally used on Unix.
Some Crypto Stuff including EGD - Entropy Gathering Daemon
EGD runs on various Unix systems and corresponds to the Linux /dev/random which collects together "entropy" from various sources of random events, stirring together an "entropy pool" from which one may extract quite random values. EGD provides equivalent functionality to /dev/random on other platforms.
HAVEGE (HArdware Volatile Entropy Gathering and Expansion) is a user-level software unpredictable random number generator for general-purpose computers that exploits modifications of the internal volatile hardware states as a source of uncertainty.
Not freely usable...
Lifetimes of cryptographic hash functions
It's interesting to see the lifecycles of the popularity and later deprecation of cryptograpahic hash algorithms.
A BSD-licensed implementation of TrueCrypt.
Simtec Electronics Entropy Key: USB True Random Number Generator
This isn't precisely a crypto "accelerator"; it is a USB-based device that seeds one's entropy pool with true random numbers. Very useful if you're generating a lot of cryptographic keys that chew up entropy from /dev/random.
There are a variety of implementations of "encrypted filesystems," where a directory or other set of files are stored in encrypted form, but with some public interface whereby once you connect to the filesystem, you can transparently access the encrypted data as if it were a regular filesystem containing a set of unencrypted files.
CFS - Cryptographic Filesystem
CFS - Cryptographic File System
This site includes a version with Blowfish support.
Supports encrypted filesystems on Linux and Win32 platforms; uses your choice of DES , Blowfish, Twofish, GOST encryption.
StegFS - A Steganographic File System for Linux
PPDD - Encrypted Disc Device Driver
PPDD is a device driver for Linux. It allows you to create a device which looks like a disc partition. You can then create an ext2 filesystem on this device. The data is in reality written to and read from a real disc - either a partition or a file on a normal filesystem. Everything on the disc is encrypted. The encryption algorithm is Blowfish . Clearly more than just a device driver is involved in this and I have tried to make the overall system secure and foolproof.
BestCrypt for Linux, version 0.7 (proprietary scheme quite similar to CFS)
These are possible candidates in the Advanced Encryption Standard (AES) process to replace the venerable DES cipher; the final winner was Rijndael .
There were originally links to virtually all of the proposals; many have since "aged" off the list, and as Rijndael "won" the competition, others are of somewhat diminished interest.
This has, as "progeny", some additional password "safes":
This is a password manager designed with a view to the Unix Philosophy.
Each password is stored in its own individual file, each one encrypted using GPG . Optionally, it will check passwords into a Git repository after each request.
A password manager using OpenPGP (or GnuPG) to store passwords and context strings in a single encrypted file, with capability to extract them without visibly displaying them onscreen.