Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 462014

Summary: Provide SOBER-128 Encryption Algorithm
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Riek <riek>
Component: nssAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: bstevens, emaldona, jrieden, rrelyea, sdake, syeghiay
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-15 14:07:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Riek 2008-09-11 21:58:13 UTC 
Red Hat Cluster Suite (OpenAIS) uses the SOBER-128 encryption algorithm. NSS as the primary cryptography provider in RHEL should provide the crypto services for RHCS and therefor needs to implement this algorithm in RHEL6.

Information:
http://en.wikipedia.org/wiki/SOBER-128
Comment 1 Kai Engert (:kaie) (inactive account) 2008-12-01 16:37:32 UTC 
I forwarded this enhancement request to upstream at
https://bugzilla.mozilla.org/show_bug.cgi?id=467372
Comment 2 Bob Relyea 2008-12-02 01:08:52 UTC 
I believe we should provide a separate PKCS #11 module and use NSS's crypto algorithm agnostic code to access it. The main thing missing from the agnostic code is adding an SSL cipher to the mix, but this does not seem to be needed.

One thing that does need to be added is a new PKCS #11 mechanism for this cipher suite. If someone who is familiar with the cipher  wants to propose a PKCS #11 mechanism I'd be happy to review the proposal and pass it on to the PKCS #11 working group.

NOTE: This is not a FIPS compatible cipher, therefore it must be turned off in FIPS mode. This means anything which *REQUIRES* (as opposed to *allows*) this cipher will not be FIPS validatable. I strongly urge the OpenAIS team to make sure that there is a FIPS validated alternative that can be selected (e.i. AES). As long as you have that, then providing SOBER-128 as a separately installed PKCS #11 module to NSS for the non-FIPS compatibility case is not a problem.

bob
Comment 3 Bob Relyea 2008-12-02 01:16:00 UTC 
NOTE2: SOBER-128 MAC has been broken. This is another reason to make sure you have some cipher agility, and in particular can support well tested and evaluated ciphers like AES.

bob
Comment 4 Steven Dake 2009-02-24 01:11:05 UTC 
We don't use the MAC feature of sober128 since it has been proven failed.  We use the PRNG feature which remains secure and use SHA1 and HMAC as our message authenticator.

We can have no agility in regards to crypto algorithms because of a need to never break wire compatability.

We also have performance requirements which AES does not meet because it is terribly slow.

Regards
-steve
Comment 5 Daniel Riek 2009-04-08 18:19:09 UTC 
Adding alternative algorithms and potentially automatic negotiation does not break wire compatibility, does it?
Comment 6 Steven Dake 2009-04-08 19:11:05 UTC 
I have investigated this feature in detail and outlined a schedule and technology several months ago.  We need a feature called "algorithm agility" which for the moment is not in the current upstream roadmap or rhel schedule.  Basically how it works is at the end of each packet we transmit on the wire, we send a "algorithm id" which is a number.  Since it is at the end of the packet it doesn't break wire compatibility as long as all nodes still continue to use algorithm 0 (the original).

number 0 is the current methodology, whereas number 1 would be an nss implementation, number 2 would be higher level nss implementation when nss 1 algorithms become compromised, etc.

On receipt of the packet, the appropriate decryption and authentication algorithm is used to decrypt the packet.  Transmit encryption algorithm of packets is controlled by a config option which is also dynamically configurable via a C API.

The user would use this technique to upgrade their nodes:
1.  user rolls all nodes from openais-0.80.X to corosync which is configured uing "algorithm 0" (the current algorithm) as the default transmit algorithm.
2.  User runs corosync-cfgtool or cman_tool which tells entire cluster to use "algorithm 1" for all new transmits after all nodes are rolled
3.  Existing corosync instances start using algorithm 1 (corosync is implemented to understand 0 and 1).

When a packet is received, its id is checked and the appropriate decryption algorithm is used based upon the id at the end of the packet.  This is localized to 1 C file, called "totemnet.c".

The first step is the algorithm agility of putting the identifier at the end of the packet and have corosync honor this identifier internally.  This provides the agility portion of the feature.

Then later we could roll out a new upgrade to corosync with NSS support and transition the users to different encryption algorithms.

I have provided management and product marketing with schedules for this technology and given other features and the lack of losing design wins because of the current implementation, it would appear it was prioritized lower and fell below the line given current resources.

There is no way to do auto negotiation without breaking wire compat without using the current set of algorithms so if full nss support is desired sober must be implemented in nss and there will be schedule impacts on cluster3 (our team is running at capacity and still behind schedule).

Regards
-steve
Comment 9 RHEL Program Management 2009-12-15 14:07:44 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.