Why Not Using Vault Upstream?

Few people know that I contribute to a few nonprofits and due to laws with hardening (internal security strategy), I needed to verify Vault

Swim in a nightmare

It’s hard but so true… I never thought to look few things in 2020:

  • DSA-authorized for SSH
  • RSA key authorized at 2048 bits

SSH with DSA

Back in 2015, OpenSSH deprecated DSA keys due to weakness:

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherent weakness. If you rely on these key types, you will have to take corrective action or risk being locked out.
Your best option is to generate new keys using strong algorithms such as rsa or ecdsa or ed25519. RSA keys will give you the greatest portability with other clients/servers while ed25519 will get you the best security with OpenSSH (but requires recent versions of client & server).

– https://github.com/zmedico/gentoo-news/blob/master/2015-08-13-openssh-weak-keys/2015-08-13-openssh-weak-keys.en.txt

I tried a pull request on GitHub to remove DSA for SSH and was refused.

RSA < 2048

Back in 2019, RSA was broken using Shor’s algorithm with quantum computing.

It’s not a dream:

Shor’s Algorithm is a three-part answer to the problem of prime factorization for any integer, so it works no matter how large the integer involved. The first part is performed on a classical computer in polynomial time, but it is only the set-up for the second and most important part. The second part requires the use of specially constructed quantum circuits to perform the quantum computation needed to find the value you need for the third part, which allows you to find the prime factors of the integer on a classical computer.

– https://www.technologyreview.com/2019/05/30/65724/how-a-quantum-computer-could-break-2048-bit-rsa-encryption-in-8-hours/

Using it or not?

March 9th, 2020, was the day when I forked Vault and released 3 commits:

Disclosure: I take big decisions inside a nonprofit so it’s my responsibility like writing an internal security strategy (1st version)

sycured

I took time to think about a few things

Will, I release all my commits?

I deleted a lot of stuff that we don’t need like:

  • Secrets Engines:
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • ElasticSearch
    • InfluxDB
    • Google Cloud with and without KMS
    • Venafi
  • Auth Methods:
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • Google Cloud
    • GitHub
    • Username & Password

Big breaking change:

  • DSA deleted
  • RSA deleted

Elliptic Curve is the only way…

Will, I take the risk of using Vault upstream?

“Deleting might break things for existing users.”

– https://github.com/hashicorp/vault/pull/8567#issuecomment-601426028 by vishalnayak

Due to this reply on my PR, I can’t take the risk.

For them (in my PR, vishalnayak‘s reply is from Vault’s team), it’s not a problem to keep weaknesses like DSA alive because they made the mistake and prefer to avoid any breaking change.

DSA deprecated during August 2015

Vault released during April 2015 (1st release)

Of course, it’s difficult to admit their mistake and force users/clients to migrate to a more secure algorithm like Ed25519 before going to post-quantum cryptography.

Will, I take the risk of forking Vault and apply my commits?

I refuse to provide all my commits under MPL-2.0

Honestly, it’s impossible because it’ll be impossible to follow upstream.
I regret but I need to make a decision not just for me, but also for the team.

Our system

We’ll build our system inspired by Vault because we can’t take any risks.

I hope that we can release it under dual licensing.

Laws & Hardening

We need traceability and a lot of things about who asked to access a secret and more.
In addition, we need to harden to be more robust and pass any certification successfully.

At this time, I’m with Ed25519 way but I continue to read about post-quantum cryptography because it’s tomorrow and we need a more robust system.

One nonprofit is about medical records so we need the most secure system and can’t accept weakness in the algorithm used.

Keep in touch

Tags: