diff options
author | Christian Weisgerber <naddy@cvs.openbsd.org> | 2006-06-14 19:04:27 +0000 |
---|---|---|
committer | Christian Weisgerber <naddy@cvs.openbsd.org> | 2006-06-14 19:04:27 +0000 |
commit | ec94043b141f38e56dbfcf69647eb6442e7769e3 (patch) | |
tree | efdf22435663643fc555c1445992c559946796ff /sbin/ipsecctl | |
parent | 060a26f3ec66871713629a7599570fc22edb4d52 (diff) |
recover list of key sizes from vpn(8); suggested by markus@, ok hshoexer@
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index beb598b16d8..908b28f041d 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.56 2006/06/13 16:13:41 naddy Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.57 2006/06/14 19:04:26 naddy Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -329,6 +329,28 @@ The encryption key is defined similar to .Ar authkey . .El .Pp +Different cipher types may require different sized keys. +.Pp +.Bl -column "CipherXX" "Key Length" -offset indent -compact +.It Em Cipher Key Length +.It Li DES Ta "56 bits" +.It Li 3DES Ta "168 bits" +.It Li AES Ta "variable (128 bits recommended)" +.It Li Blowfish Ta "variable (160 bits recommended)" +.It Li CAST Ta "variable (128 bits maximum and recommended)" +.It Li Skipjack Ta "80 bits" +.El +.Pp +Use of DES or Skipjack as an encryption algorithm is not recommended +(except for backwards compatibility) due to their short key length. +Furthermore, attacks on Skipjack have shown severe weaknesses +in its structure. +.Pp +Note that DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes +to form its 168-bit key. +This is because the most significant bit of each byte is ignored by both +algorithms. +.Pp It is very important that keys are not guessable. One practical way of generating 160-bit (20-byte) keys is a follows: .Bd -literal -offset indent |