| … | |
… | |
| 92 | |
92 | |
| 93 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
93 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
| 94 | |
94 | |
| 95 | This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12 |
95 | This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12 |
| 96 | would also be pretty secure ;) and will additionally prefix each packet |
96 | would also be pretty secure ;) and will additionally prefix each packet |
| 97 | with 8 bytes of random data. |
97 | with 8 bytes of random data. In the long run, people should move to |
|
|
98 | SHA-224 and beyond, but support in openssl is missing as of writing this |
|
|
99 | document. |
| 98 | |
100 | |
| 99 | In general, remember that AES-128 seems to be more secure and faster than |
101 | In general, remember that AES-128 seems to be more secure and faster than |
| 100 | AES-192 or AES-256, more randomness helps against sniffing and a longer |
102 | AES-192 or AES-256, more randomness helps against sniffing and a longer |
| 101 | HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are |
103 | HMAC helps against spoofing. MD4 is a fast digest, SHA1 or RIPEMD160 are |
| 102 | better, and Blowfish is a fast cipher (and also quite secure). |
104 | better, and Blowfish is a fast cipher (and also quite secure). |
