Bug 462014 - Provide SOBER-128 Encryption Algorithm
Provide SOBER-128 Encryption Algorithm
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
All Linux
high Severity high
: beta
: ---
Assigned To: Kai Engert (:kaie)
Depends On:
  Show dependency treegraph
Reported: 2008-09-11 17:58 EDT by Daniel Riek
Modified: 2009-12-15 09:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-12-15 09:07:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 467372 None None None Never

  None (edit)
Description Daniel Riek 2008-09-11 17:58:13 EDT
Red Hat Cluster Suite (OpenAIS) uses the SOBER-128 encryption algorithm. NSS as the primary cryptography provider in RHEL should provide the crypto services for RHCS and therefor needs to implement this algorithm in RHEL6.

Comment 1 Kai Engert (:kaie) 2008-12-01 11:37:32 EST
I forwarded this enhancement request to upstream at
Comment 2 Bob Relyea 2008-12-01 20:08:52 EST
I believe we should provide a separate PKCS #11 module and use NSS's crypto algorithm agnostic code to access it. The main thing missing from the agnostic code is adding an SSL cipher to the mix, but this does not seem to be needed.

One thing that does need to be added is a new PKCS #11 mechanism for this cipher suite. If someone who is familiar with the cipher  wants to propose a PKCS #11 mechanism I'd be happy to review the proposal and pass it on to the PKCS #11 working group.

NOTE: This is not a FIPS compatible cipher, therefore it must be turned off in FIPS mode. This means anything which *REQUIRES* (as opposed to *allows*) this cipher will not be FIPS validatable. I strongly urge the OpenAIS team to make sure that there is a FIPS validated alternative that can be selected (e.i. AES). As long as you have that, then providing SOBER-128 as a separately installed PKCS #11 module to NSS for the non-FIPS compatibility case is not a problem.

Comment 3 Bob Relyea 2008-12-01 20:16:00 EST
NOTE2: SOBER-128 MAC has been broken. This is another reason to make sure you have some cipher agility, and in particular can support well tested and evaluated ciphers like AES.

Comment 4 Steven Dake 2009-02-23 20:11:05 EST
We don't use the MAC feature of sober128 since it has been proven failed.  We use the PRNG feature which remains secure and use SHA1 and HMAC as our message authenticator.

We can have no agility in regards to crypto algorithms because of a need to never break wire compatability.

We also have performance requirements which AES does not meet because it is terribly slow.

Comment 5 Daniel Riek 2009-04-08 14:19:09 EDT
Adding alternative algorithms and potentially automatic negotiation does not break wire compatibility, does it?
Comment 6 Steven Dake 2009-04-08 15:11:05 EDT
I have investigated this feature in detail and outlined a schedule and technology several months ago.  We need a feature called "algorithm agility" which for the moment is not in the current upstream roadmap or rhel schedule.  Basically how it works is at the end of each packet we transmit on the wire, we send a "algorithm id" which is a number.  Since it is at the end of the packet it doesn't break wire compatibility as long as all nodes still continue to use algorithm 0 (the original).

number 0 is the current methodology, whereas number 1 would be an nss implementation, number 2 would be higher level nss implementation when nss 1 algorithms become compromised, etc.

On receipt of the packet, the appropriate decryption and authentication algorithm is used to decrypt the packet.  Transmit encryption algorithm of packets is controlled by a config option which is also dynamically configurable via a C API.

The user would use this technique to upgrade their nodes:
1.  user rolls all nodes from openais-0.80.X to corosync which is configured uing "algorithm 0" (the current algorithm) as the default transmit algorithm.
2.  User runs corosync-cfgtool or cman_tool which tells entire cluster to use "algorithm 1" for all new transmits after all nodes are rolled
3.  Existing corosync instances start using algorithm 1 (corosync is implemented to understand 0 and 1).

When a packet is received, its id is checked and the appropriate decryption algorithm is used based upon the id at the end of the packet.  This is localized to 1 C file, called "totemnet.c".

The first step is the algorithm agility of putting the identifier at the end of the packet and have corosync honor this identifier internally.  This provides the agility portion of the feature.

Then later we could roll out a new upgrade to corosync with NSS support and transition the users to different encryption algorithms.

I have provided management and product marketing with schedules for this technology and given other features and the lack of losing design wins because of the current implementation, it would appear it was prioritized lower and fell below the line given current resources.

There is no way to do auto negotiation without breaking wire compat without using the current set of algorithms so if full nss support is desired sober must be implemented in nss and there will be schedule impacts on cluster3 (our team is running at capacity and still behind schedule).

Comment 9 RHEL Product and Program Management 2009-12-15 09:07:44 EST
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.