{"id":182,"date":"2020-04-16T20:32:00","date_gmt":"2020-04-17T01:32:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=182"},"modified":"2024-01-13T17:01:03","modified_gmt":"2024-01-13T22:01:03","slug":"why-not-using-vault-upstream","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/why-not-using-vault-upstream","title":{"rendered":"Why Not Using Vault Upstream?"},"content":{"rendered":"\n
Few people know that I contribute to a few nonprofits and due to laws with hardening (internal security strategy), I needed to verify Vault<\/p>\n\n\n\n\n\n\n\n
It’s hard but so true\u2026 I never thought to look few things in 2020:<\/p>\n\n\n\n
Back in 2015, OpenSSH deprecated DSA keys due to weakness:<\/p>\n\n\n\n
\nStarting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherent weakness. If you rely on these key types, you will have to take corrective action or risk being locked out.
Your best option is to generate new keys using strong algorithms such as rsa or ecdsa or ed25519. RSA keys will give you the greatest portability with other clients\/servers while ed25519 will get you the best security with OpenSSH (but requires recent versions of client & server).<\/p>\n\n\n\n– https:\/\/github.com\/zmedico\/gentoo-news\/blob\/master\/2015-08-13-openssh-weak-keys\/2015-08-13-openssh-weak-keys.en.txt<\/p>\n<\/blockquote>\n\n\n\n
I tried a pull request on GitHub to remove DSA for SSH<\/a> and was refused.<\/p>\n\n\n\n
RSA < 2048<\/h3>\n\n\n\n
Back in 2019, RSA was broken using Shor’s algorithm with quantum computing.<\/p>\n\n\n\n
It’s not a dream:<\/p>\n\n\n\n
\nShor\u2019s Algorithm is a three-part answer to the problem of prime factorization for any integer, so it works no matter how large the integer involved. The first part is performed on a classical computer in polynomial time, but it is only the set-up for the second and most important part. The second part requires the use of specially constructed quantum circuits to perform the quantum computation needed to find the value you need for the third part, which allows you to find the prime factors of the integer on a classical computer.<\/p>\n\n\n\n
– https:\/\/www.technologyreview.com\/2019\/05\/30\/65724\/how-a-quantum-computer-could-break-2048-bit-rsa-encryption-in-8-hours\/<\/p>\n<\/blockquote>\n\n\n\n
Using it or not?<\/h2>\n\n\n\n
March 9th, 2020<\/em>, was the day when I forked Vault<\/a> and released 3 commits:<\/p>\n\n\n\n
\n
- fix PKI&SSH keys to be at 4096 by default and minimum<\/a><\/li>\n\n\n\n
- remove duplication error string using variable<\/a><\/li>\n\n\n\n
- remove DSA for SSH<\/a><\/li>\n<\/ul>\n\n\n\n
\nDisclosure:<\/strong> I take big decisions inside a nonprofit so it’s my responsibility like writing an internal security strategy (1st version)<\/p>\n\n\n\n
– sycured<\/a><\/p>\n<\/blockquote>\n\n\n\n
I took time to think about a few things<\/p>\n\n\n\n
Will, I release all my commits?<\/h3>\n\n\n\n
I deleted a lot of stuff that we don’t need like:<\/p>\n\n\n\n
\n
- Secrets Engines:\n
\n
- Active Directory<\/li>\n\n\n\n
- AliCloud<\/li>\n\n\n\n
- AWS<\/li>\n\n\n\n
- Azure<\/li>\n\n\n\n
- ElasticSearch<\/li>\n\n\n\n
- InfluxDB<\/li>\n\n\n\n
- Google Cloud with and without KMS<\/li>\n\n\n\n
- Venafi<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Auth Methods:\n
\n
- AliCloud<\/li>\n\n\n\n
- AWS<\/li>\n\n\n\n
- Azure<\/li>\n\n\n\n
- Cloud Foundry<\/li>\n\n\n\n
- Google Cloud<\/li>\n\n\n\n
- GitHub<\/li>\n\n\n\n
- Username & Password<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Big breaking change:<\/p>\n\n\n\n
\n
- DSA deleted<\/li>\n\n\n\n
- RSA deleted<\/li>\n<\/ul>\n\n\n\n
Elliptic Curve<\/a> is the only way\u2026<\/p>\n\n\n\n
Will, I take the risk of using Vault upstream?<\/h3>\n\n\n\n
\n“Deleting might break things for existing users.”<\/p>\n\n\n\n
– https:\/\/github.com\/hashicorp\/vault\/pull\/8567#issuecomment-601426028 by vishalnayak<\/a><\/p>\n<\/blockquote>\n\n\n\n
Due to this reply on my PR<\/a>, I can’t take the risk.<\/p>\n\n\n\n
For them (in my PR, vishalnayak<\/a>‘s reply is from Vault’s team), it’s not a problem to keep weaknesses like DSA alive because they made the mistake and prefer to avoid any breaking change.<\/p>\n\n\n\n
\nDSA deprecated during August 2015<\/p>\n\n\n\n
Vault released during April 2015 (1st release)<\/p>\n<\/blockquote>\n\n\n\n
Of course, it’s difficult to admit their mistake and force users\/clients to migrate to a more secure algorithm like Ed25519<\/a> before going to post-quantum cryptography<\/a>.<\/p>\n\n\n\n
Will, I take the risk of forking Vault and apply my commits?<\/h3>\n\n\n\n