Cryptography and Randomization
One of the goals of the OpenBSD project is the integration of facilities and software for strong cryptography into the core operating system. To this end, a number of low-level features are provided, including a source of strong pseudo random numbers; built-in cryptographic hash functions and transforms; and support for cryptographic hardware (OpenBSD Cryptographic Framework). These abilities are used throughout OpenBSD, including the bcrypt password-hashing algorithm derived from Bruce Schneier's Blowfish block cipher, which takes advantage of the slow Blowfish key schedule to make password-checking inherently CPU-intensive, so that password-cracking attempts are slower and more difficult. To protect sensitive information such as passwords and passphrases from leaking on to disk where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key. This feature is enabled by default in OpenBSD 3.9 and later. The network stack also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including TCP Initial Sequence Numbers and timestamps, and ephemeral source ports. A number of features to increase network resilience and availability, including countermeasures for problems with ICMP and software for redundancy, such as CARP and pfsync, are also included. In userland, the project was perhaps the first to disable the plain-text telnet daemon in favor of the encrypted SSH daemon and features other integrated cryptographic software, including IPsec and Kerberos.
Read more about this topic: Open BSD Security Features