Few people know that I contribute to few nonprofits and due to laws with hardening (internal security strategy), I needed to verify Vault
It’s hard but so true… I never thought to look few things in 2020:
Back in 2015, OpenSSH deprecated DSA keys due to weakness:
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherent weakness. If you rely on these key types, you will have to take corrective action or risk being locked out. Your best option is to generate new keys using strong algorithms such as rsa or ecdsa or ed25519. RSA keys will give you the greatest portability with other clients/servers while ed25519 will get you the best security with OpenSSH (but requires recent versions of client & server).
I tried a pull request on GitHub remove DSA for SSH and was refused.
Back in 2019, RSA was broken using Shor’s algorithm with quantum computing.
It’s not a dream:
Shor’s Algorithm is a three-part answer to the problem of prime factorization for any integer, so it works no matter how large the integer involved. The first part is performed on a classical computer in polynomial time, but it is only the set-up for the second and most important part. The second part requires the use of specially constructed quantum circuits to perform the quantum computation needed to find the value you need for the third part, which allows you to find the prime factors of the integer on a classical computer.
March 9th, 2020, the day where I forked Vault and released 3 commits:
Disclosure: I take big decisions inside a nonprofit so it’s my responsibility like writing an internal security strategy (1st version)
I took time to think about few things
I deleted a lot of stuff that we don’t need like:
Big breaking change:
Elliptic Curve is the only way…
“Deleting might break things for existing users.”
Due to this reply on my PR, I can’t take the risk.
For them (in my PR, vishalnayak’s reply is from Vault’s team), it’s not a problem to keep weakness like DSA alive because they made the mistake and prefer to avoid any breaking change.
DSA deprecated during August 2015
Vault released during April 2015 (1st release)
I refuse to provide all my commits under MPL-2.0
Honestly, it’s impossible because it’ll be impossible to follow upstream. I regret but I need to take a decision not just for me, also for the team.
We’ll build our system inspired by Vault because we can’t take any risks.
I hope that we can release it under dual licensing.
We need traceability and a lot of things about who asked to access a secret and more. In addition, we need to harden to be more robust and pass any certification successfully.
At this time, I’m with Ed25519 way but I continue to read about post-quantum cryptography because it’s tomorrow and we need a more robust system.
One nonprofit is about medical records so we need the most secure system and can’t accept weakness in the algorithm used.
Keep in touch