You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Zixuan Liu <no...@gmail.com> on 2023/02/22 09:58:24 UTC

[DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Hi all,

I would like to discuss using the bouncycastle fips instead of the
bouncycastle non-fips.

The bouncycastle is a Java library that complements the default Java
Cryptographic Extension (JCE), which has two versions: fips version and
non-fips version.

The fips version is safer than non-fips. When the security level is very
high, many policies require the fips version, but the Pulsar default uses
the non-fips version. Switch this is complex, because
the `pulsar-client-messagecrypto-bc` module and root project depends on the
non-fips, so I suggest we switch to fips version from non-fips.

Reference:
- https://www.bouncycastle.org/
- https://www.bouncycastle.org/fips_faq.html
- https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards

Thanks,
Zixuan

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> So it means the change is only on the client side, not the broker side?

pulsar-functions also depend on BC. In the Pulsar, we only use the BC or
BC-FIPS, right now we are using the BC.

> we could consider that in the future. current way is to align with the
old manner.
I talked to jia,  BC is used for compatibility with old users.


Maybe we shouldn't break that.

Asaf Mesika <as...@gmail.com> 于2023年3月6日周一 20:03写道：

> So it means the change is only on the client side, not the broker side?
>
>
> On Fri, Mar 3, 2023 at 11:42 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > Hi all,
> >
> > We only use the BC to encrypt the message, not TLS, so I think we can
> > migrate to the BC-FIPS.
> >
> > If you think it's feasible, I'll try to do it, and if it doesn't pass the
> > Pulsar test, I'll keep using the BC.
> >
> > Thanks,
> > Zixuan
> >
> >
> >
> > YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：
> >
> > > BC and BC-FIPS differences are the cipher suites. This is similar to
> > TLS1.1
> > > vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> > > compute power improvement).
> > > in TLS 1.3, client has no chance to specific weak cipher suites to
> > connect
> > > to server and exploit the weakness.
> > > For BC-FIPS harden pulsar cluster, brokers should reject connections
> from
> > > clients with BC (clients must use Security.provider bc-fips).
> > > For BC non fips cluster, it should be flexible. client with bc-fips or
> bc
> > > should be able to connect to pulsar (bc).
> > >
> > > <https://streamnative.io>
> > >
> > >
> > > Yu Wei Sung
> > >
> > > Sr. Solutions Engineer
> > >
> > >
> > > streamnative.io
> > >
> > > <http://github.com/streamnative>
> > > <https://www.linkedin.com/company/streamnative/>
> > > <https://twitter.com/streamnativeio/>
> > >
> > >
> > > On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > Actually I was expecting that part of the discussion will specify
> the
> > > > > difference between using FIPS compared with non-FIPS, in each
> > > > BouncyCastle
> > > > > usage: TLS and message encryption.
> > > >
> > > > Good catch! I'll check this.
> > > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> > > >
> > > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > > users might get exceptions if they don't use specific
> algorithms
> > or
> > > > > > encryption schemes?
> > > > > >
> > > > > > Could you share more info about this?
> > > > > >
> > > > >
> > > > > Actually I was expecting that part of the discussion will specify
> the
> > > > > difference between using FIPS compared with non-FIPS, in each
> > > > BouncyCastle
> > > > > usage: TLS and message encryption.
> > > > >
> > > > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > > > >
> > > > >
> > > > >
> > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > > > >
> > > > > > > So if I understand you correctly, once you switch to the FIPS
> > > version
> > > > > of
> > > > > > > Bouncy Castle, users might get exceptions if they don't use
> > > specific
> > > > > > > algorithms or encryption schemes?
> > > > > > > Potentially a breaking change?
> > > > > > > You can't switch it off via config?
> > > > > > >
> > > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > > > wrote:
> > > > > > >
> > > > > > > > > 1. What is FIPS?
> > > > > > > >
> > > > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > > > standards
> > > > > > > that
> > > > > > > > describe document processing, encryption algorithms and other
> > > > > > information
> > > > > > > > technology standards for use within non-military government
> > > > agencies
> > > > > > and
> > > > > > > by
> > > > > > > > government contractors and vendors who work with the
> agencies.
> > > > > > > >
> > > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > >
> > > > > > > > FIPS standard is strict. When using the FIPS version, this is
> > > also
> > > > > very
> > > > > > > > strict and standard.
> > > > > > > >
> > > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > >
> > > > > > > > We use the bouncycastle as the TLS provider,  and used for
> the
> > > > > > end-to-end
> > > > > > > > message encryption.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Zixuan
> > > > > > > >
> > > > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > > > >
> > > > > > > > > Can you elaborate a bit:
> > > > > > > > > 1. What is FIPS?
> > > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <
> > nodeces@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > I would like to discuss using the bouncycastle fips
> instead
> > > of
> > > > > the
> > > > > > > > > > bouncycastle non-fips.
> > > > > > > > > >
> > > > > > > > > > The bouncycastle is a Java library that complements the
> > > default
> > > > > > Java
> > > > > > > > > > Cryptographic Extension (JCE), which has two versions:
> fips
> > > > > version
> > > > > > > and
> > > > > > > > > > non-fips version.
> > > > > > > > > >
> > > > > > > > > > The fips version is safer than non-fips. When the
> security
> > > > level
> > > > > is
> > > > > > > > very
> > > > > > > > > > high, many policies require the fips version, but the
> > Pulsar
> > > > > > default
> > > > > > > > uses
> > > > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > > > the `pulsar-client-messagecrypto-bc` module and root
> > project
> > > > > > depends
> > > > > > > on
> > > > > > > > > the
> > > > > > > > > > non-fips, so I suggest we switch to fips version from
> > > non-fips.
> > > > > > > > > >
> > > > > > > > > > Reference:
> > > > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > > > -
> > > > > > > >
> > > > >
> > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Zixuan
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Asaf Mesika <as...@gmail.com>.

So it means the change is only on the client side, not the broker side?


On Fri, Mar 3, 2023 at 11:42 AM Zixuan Liu <no...@gmail.com> wrote:

> Hi all,
>
> We only use the BC to encrypt the message, not TLS, so I think we can
> migrate to the BC-FIPS.
>
> If you think it's feasible, I'll try to do it, and if it doesn't pass the
> Pulsar test, I'll keep using the BC.
>
> Thanks,
> Zixuan
>
>
>
> YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：
>
> > BC and BC-FIPS differences are the cipher suites. This is similar to
> TLS1.1
> > vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> > compute power improvement).
> > in TLS 1.3, client has no chance to specific weak cipher suites to
> connect
> > to server and exploit the weakness.
> > For BC-FIPS harden pulsar cluster, brokers should reject connections from
> > clients with BC (clients must use Security.provider bc-fips).
> > For BC non fips cluster, it should be flexible. client with bc-fips or bc
> > should be able to connect to pulsar (bc).
> >
> > <https://streamnative.io>
> >
> >
> > Yu Wei Sung
> >
> > Sr. Solutions Engineer
> >
> >
> > streamnative.io
> >
> > <http://github.com/streamnative>
> > <https://www.linkedin.com/company/streamnative/>
> > <https://twitter.com/streamnativeio/>
> >
> >
> > On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > Actually I was expecting that part of the discussion will specify the
> > > > difference between using FIPS compared with non-FIPS, in each
> > > BouncyCastle
> > > > usage: TLS and message encryption.
> > >
> > > Good catch! I'll check this.
> > >
> > > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> > >
> > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > > users might get exceptions if they don't use specific algorithms
> or
> > > > > encryption schemes?
> > > > >
> > > > > Could you share more info about this?
> > > > >
> > > >
> > > > Actually I was expecting that part of the discussion will specify the
> > > > difference between using FIPS compared with non-FIPS, in each
> > > BouncyCastle
> > > > usage: TLS and message encryption.
> > > >
> > > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > > >
> > > >
> > > >
> > > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > > >
> > > > > > So if I understand you correctly, once you switch to the FIPS
> > version
> > > > of
> > > > > > Bouncy Castle, users might get exceptions if they don't use
> > specific
> > > > > > algorithms or encryption schemes?
> > > > > > Potentially a breaking change?
> > > > > > You can't switch it off via config?
> > > > > >
> > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > > > 1. What is FIPS?
> > > > > > >
> > > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > > standards
> > > > > > that
> > > > > > > describe document processing, encryption algorithms and other
> > > > > information
> > > > > > > technology standards for use within non-military government
> > > agencies
> > > > > and
> > > > > > by
> > > > > > > government contractors and vendors who work with the agencies.
> > > > > > >
> > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > >
> > > > > > > FIPS standard is strict. When using the FIPS version, this is
> > also
> > > > very
> > > > > > > strict and standard.
> > > > > > >
> > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > >
> > > > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > > > end-to-end
> > > > > > > message encryption.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Zixuan
> > > > > > >
> > > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > > >
> > > > > > > > Can you elaborate a bit:
> > > > > > > > 1. What is FIPS?
> > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <
> nodeces@gmail.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > I would like to discuss using the bouncycastle fips instead
> > of
> > > > the
> > > > > > > > > bouncycastle non-fips.
> > > > > > > > >
> > > > > > > > > The bouncycastle is a Java library that complements the
> > default
> > > > > Java
> > > > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > > > version
> > > > > > and
> > > > > > > > > non-fips version.
> > > > > > > > >
> > > > > > > > > The fips version is safer than non-fips. When the security
> > > level
> > > > is
> > > > > > > very
> > > > > > > > > high, many policies require the fips version, but the
> Pulsar
> > > > > default
> > > > > > > uses
> > > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > > the `pulsar-client-messagecrypto-bc` module and root
> project
> > > > > depends
> > > > > > on
> > > > > > > > the
> > > > > > > > > non-fips, so I suggest we switch to fips version from
> > non-fips.
> > > > > > > > >
> > > > > > > > > Reference:
> > > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > > -
> > > > > > >
> > > >
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Zixuan
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

Hi all,

We only use the BC to encrypt the message, not TLS, so I think we can
migrate to the BC-FIPS.

If you think it's feasible, I'll try to do it, and if it doesn't pass the
Pulsar test, I'll keep using the BC.

Thanks,
Zixuan



YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：

> BC and BC-FIPS differences are the cipher suites. This is similar to TLS1.1
> vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> compute power improvement).
> in TLS 1.3, client has no chance to specific weak cipher suites to connect
> to server and exploit the weakness.
> For BC-FIPS harden pulsar cluster, brokers should reject connections from
> clients with BC (clients must use Security.provider bc-fips).
> For BC non fips cluster, it should be flexible. client with bc-fips or bc
> should be able to connect to pulsar (bc).
>
> <https://streamnative.io>
>
>
> Yu Wei Sung
>
> Sr. Solutions Engineer
>
>
> streamnative.io
>
> <http://github.com/streamnative>
> <https://www.linkedin.com/company/streamnative/>
> <https://twitter.com/streamnativeio/>
>
>
> On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > > Actually I was expecting that part of the discussion will specify the
> > > difference between using FIPS compared with non-FIPS, in each
> > BouncyCastle
> > > usage: TLS and message encryption.
> >
> > Good catch! I'll check this.
> >
> > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> >
> > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > users might get exceptions if they don't use specific algorithms or
> > > > encryption schemes?
> > > >
> > > > Could you share more info about this?
> > > >
> > >
> > > Actually I was expecting that part of the discussion will specify the
> > > difference between using FIPS compared with non-FIPS, in each
> > BouncyCastle
> > > usage: TLS and message encryption.
> > >
> > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > >
> > >
> > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > >
> > > > > So if I understand you correctly, once you switch to the FIPS
> version
> > > of
> > > > > Bouncy Castle, users might get exceptions if they don't use
> specific
> > > > > algorithms or encryption schemes?
> > > > > Potentially a breaking change?
> > > > > You can't switch it off via config?
> > > > >
> > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > > 1. What is FIPS?
> > > > > >
> > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > standards
> > > > > that
> > > > > > describe document processing, encryption algorithms and other
> > > > information
> > > > > > technology standards for use within non-military government
> > agencies
> > > > and
> > > > > by
> > > > > > government contractors and vendors who work with the agencies.
> > > > > >
> > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > >
> > > > > > FIPS standard is strict. When using the FIPS version, this is
> also
> > > very
> > > > > > strict and standard.
> > > > > >
> > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > >
> > > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > > end-to-end
> > > > > > message encryption.
> > > > > >
> > > > > > Thanks,
> > > > > > Zixuan
> > > > > >
> > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > >
> > > > > > > Can you elaborate a bit:
> > > > > > > 1. What is FIPS?
> > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <nodeces@gmail.com
> >
> > > > wrote:
> > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > I would like to discuss using the bouncycastle fips instead
> of
> > > the
> > > > > > > > bouncycastle non-fips.
> > > > > > > >
> > > > > > > > The bouncycastle is a Java library that complements the
> default
> > > > Java
> > > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > > version
> > > > > and
> > > > > > > > non-fips version.
> > > > > > > >
> > > > > > > > The fips version is safer than non-fips. When the security
> > level
> > > is
> > > > > > very
> > > > > > > > high, many policies require the fips version, but the Pulsar
> > > > default
> > > > > > uses
> > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > > > depends
> > > > > on
> > > > > > > the
> > > > > > > > non-fips, so I suggest we switch to fips version from
> non-fips.
> > > > > > > >
> > > > > > > > Reference:
> > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > -
> > > > > >
> > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Zixuan
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by YuWei Sung <yu...@streamnative.io.INVALID>.

BC and BC-FIPS differences are the cipher suites. This is similar to TLS1.1
vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
compute power improvement).
in TLS 1.3, client has no chance to specific weak cipher suites to connect
to server and exploit the weakness.
For BC-FIPS harden pulsar cluster, brokers should reject connections from
clients with BC (clients must use Security.provider bc-fips).
For BC non fips cluster, it should be flexible. client with bc-fips or bc
should be able to connect to pulsar (bc).

<https://streamnative.io>


Yu Wei Sung

Sr. Solutions Engineer


streamnative.io

<http://github.com/streamnative>
<https://www.linkedin.com/company/streamnative/>
<https://twitter.com/streamnativeio/>


On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:

> > Actually I was expecting that part of the discussion will specify the
> > difference between using FIPS compared with non-FIPS, in each
> BouncyCastle
> > usage: TLS and message encryption.
>
> Good catch! I'll check this.
>
> Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
>
> > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > users might get exceptions if they don't use specific algorithms or
> > > encryption schemes?
> > >
> > > Could you share more info about this?
> > >
> >
> > Actually I was expecting that part of the discussion will specify the
> > difference between using FIPS compared with non-FIPS, in each
> BouncyCastle
> > usage: TLS and message encryption.
> >
> >  I imagined that FIPS has a shorter list of ciphers it supports.
> >
> >
> >
> > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > >
> > > > So if I understand you correctly, once you switch to the FIPS version
> > of
> > > > Bouncy Castle, users might get exceptions if they don't use specific
> > > > algorithms or encryption schemes?
> > > > Potentially a breaking change?
> > > > You can't switch it off via config?
> > > >
> > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > > 1. What is FIPS?
> > > > >
> > > > > FIPS (Federal Information Processing Standards) are a set of
> > standards
> > > > that
> > > > > describe document processing, encryption algorithms and other
> > > information
> > > > > technology standards for use within non-military government
> agencies
> > > and
> > > > by
> > > > > government contractors and vendors who work with the agencies.
> > > > >
> > > > > > 2. Why is the FIPS version safer exactly?
> > > > >
> > > > > FIPS standard is strict. When using the FIPS version, this is also
> > very
> > > > > strict and standard.
> > > > >
> > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > >
> > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > end-to-end
> > > > > message encryption.
> > > > >
> > > > > Thanks,
> > > > > Zixuan
> > > > >
> > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > >
> > > > > > Can you elaborate a bit:
> > > > > > 1. What is FIPS?
> > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I would like to discuss using the bouncycastle fips instead of
> > the
> > > > > > > bouncycastle non-fips.
> > > > > > >
> > > > > > > The bouncycastle is a Java library that complements the default
> > > Java
> > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > version
> > > > and
> > > > > > > non-fips version.
> > > > > > >
> > > > > > > The fips version is safer than non-fips. When the security
> level
> > is
> > > > > very
> > > > > > > high, many policies require the fips version, but the Pulsar
> > > default
> > > > > uses
> > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > > depends
> > > > on
> > > > > > the
> > > > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > > > >
> > > > > > > Reference:
> > > > > > > - https://www.bouncycastle.org/
> > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > -
> > > > >
> > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Zixuan
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> Actually I was expecting that part of the discussion will specify the
> difference between using FIPS compared with non-FIPS, in each BouncyCastle
> usage: TLS and message encryption.

Good catch! I'll check this.

Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：

> On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
>
> > > users might get exceptions if they don't use specific algorithms or
> > encryption schemes?
> >
> > Could you share more info about this?
> >
>
> Actually I was expecting that part of the discussion will specify the
> difference between using FIPS compared with non-FIPS, in each BouncyCastle
> usage: TLS and message encryption.
>
>  I imagined that FIPS has a shorter list of ciphers it supports.
>
>
>
> > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> >
> > > So if I understand you correctly, once you switch to the FIPS version
> of
> > > Bouncy Castle, users might get exceptions if they don't use specific
> > > algorithms or encryption schemes?
> > > Potentially a breaking change?
> > > You can't switch it off via config?
> > >
> > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > 1. What is FIPS?
> > > >
> > > > FIPS (Federal Information Processing Standards) are a set of
> standards
> > > that
> > > > describe document processing, encryption algorithms and other
> > information
> > > > technology standards for use within non-military government agencies
> > and
> > > by
> > > > government contractors and vendors who work with the agencies.
> > > >
> > > > > 2. Why is the FIPS version safer exactly?
> > > >
> > > > FIPS standard is strict. When using the FIPS version, this is also
> very
> > > > strict and standard.
> > > >
> > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > >
> > > > We use the bouncycastle as the TLS provider,  and used for the
> > end-to-end
> > > > message encryption.
> > > >
> > > > Thanks,
> > > > Zixuan
> > > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > >
> > > > > Can you elaborate a bit:
> > > > > 1. What is FIPS?
> > > > > 2. Why is the FIPS version safer exactly?
> > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I would like to discuss using the bouncycastle fips instead of
> the
> > > > > > bouncycastle non-fips.
> > > > > >
> > > > > > The bouncycastle is a Java library that complements the default
> > Java
> > > > > > Cryptographic Extension (JCE), which has two versions: fips
> version
> > > and
> > > > > > non-fips version.
> > > > > >
> > > > > > The fips version is safer than non-fips. When the security level
> is
> > > > very
> > > > > > high, many policies require the fips version, but the Pulsar
> > default
> > > > uses
> > > > > > the non-fips version. Switch this is complex, because
> > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > depends
> > > on
> > > > > the
> > > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > > >
> > > > > > Reference:
> > > > > > - https://www.bouncycastle.org/
> > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > -
> > > >
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > >
> > > > > > Thanks,
> > > > > > Zixuan
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Asaf Mesika <as...@gmail.com>.

On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:

> > users might get exceptions if they don't use specific algorithms or
> encryption schemes?
>
> Could you share more info about this?
>

Actually I was expecting that part of the discussion will specify the
difference between using FIPS compared with non-FIPS, in each BouncyCastle
usage: TLS and message encryption.

 I imagined that FIPS has a shorter list of ciphers it supports.



> Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
>
> > So if I understand you correctly, once you switch to the FIPS version of
> > Bouncy Castle, users might get exceptions if they don't use specific
> > algorithms or encryption schemes?
> > Potentially a breaking change?
> > You can't switch it off via config?
> >
> > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > 1. What is FIPS?
> > >
> > > FIPS (Federal Information Processing Standards) are a set of standards
> > that
> > > describe document processing, encryption algorithms and other
> information
> > > technology standards for use within non-military government agencies
> and
> > by
> > > government contractors and vendors who work with the agencies.
> > >
> > > > 2. Why is the FIPS version safer exactly?
> > >
> > > FIPS standard is strict. When using the FIPS version, this is also very
> > > strict and standard.
> > >
> > > > 3. What is bouncycastle used exactly in Pulsar?
> > >
> > > We use the bouncycastle as the TLS provider,  and used for the
> end-to-end
> > > message encryption.
> > >
> > > Thanks,
> > > Zixuan
> > >
> > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > >
> > > > Can you elaborate a bit:
> > > > 1. What is FIPS?
> > > > 2. Why is the FIPS version safer exactly?
> > > > 3. What is bouncycastle used exactly in Pulsar?
> > > >
> > > >
> > > >
> > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > I would like to discuss using the bouncycastle fips instead of the
> > > > > bouncycastle non-fips.
> > > > >
> > > > > The bouncycastle is a Java library that complements the default
> Java
> > > > > Cryptographic Extension (JCE), which has two versions: fips version
> > and
> > > > > non-fips version.
> > > > >
> > > > > The fips version is safer than non-fips. When the security level is
> > > very
> > > > > high, many policies require the fips version, but the Pulsar
> default
> > > uses
> > > > > the non-fips version. Switch this is complex, because
> > > > > the `pulsar-client-messagecrypto-bc` module and root project
> depends
> > on
> > > > the
> > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > >
> > > > > Reference:
> > > > > - https://www.bouncycastle.org/
> > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > -
> > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > >
> > > > > Thanks,
> > > > > Zixuan
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> users might get exceptions if they don't use specific algorithms or
encryption schemes?

Could you share more info about this?

Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：

> So if I understand you correctly, once you switch to the FIPS version of
> Bouncy Castle, users might get exceptions if they don't use specific
> algorithms or encryption schemes?
> Potentially a breaking change?
> You can't switch it off via config?
>
> On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:
>
> > > 1. What is FIPS?
> >
> > FIPS (Federal Information Processing Standards) are a set of standards
> that
> > describe document processing, encryption algorithms and other information
> > technology standards for use within non-military government agencies and
> by
> > government contractors and vendors who work with the agencies.
> >
> > > 2. Why is the FIPS version safer exactly?
> >
> > FIPS standard is strict. When using the FIPS version, this is also very
> > strict and standard.
> >
> > > 3. What is bouncycastle used exactly in Pulsar?
> >
> > We use the bouncycastle as the TLS provider,  and used for the end-to-end
> > message encryption.
> >
> > Thanks,
> > Zixuan
> >
> > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> >
> > > Can you elaborate a bit:
> > > 1. What is FIPS?
> > > 2. Why is the FIPS version safer exactly?
> > > 3. What is bouncycastle used exactly in Pulsar?
> > >
> > >
> > >
> > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I would like to discuss using the bouncycastle fips instead of the
> > > > bouncycastle non-fips.
> > > >
> > > > The bouncycastle is a Java library that complements the default Java
> > > > Cryptographic Extension (JCE), which has two versions: fips version
> and
> > > > non-fips version.
> > > >
> > > > The fips version is safer than non-fips. When the security level is
> > very
> > > > high, many policies require the fips version, but the Pulsar default
> > uses
> > > > the non-fips version. Switch this is complex, because
> > > > the `pulsar-client-messagecrypto-bc` module and root project depends
> on
> > > the
> > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > >
> > > > Reference:
> > > > - https://www.bouncycastle.org/
> > > > - https://www.bouncycastle.org/fips_faq.html
> > > > -
> > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > >
> > > > Thanks,
> > > > Zixuan
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Asaf Mesika <as...@gmail.com>.

So if I understand you correctly, once you switch to the FIPS version of
Bouncy Castle, users might get exceptions if they don't use specific
algorithms or encryption schemes?
Potentially a breaking change?
You can't switch it off via config?

On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:

> > 1. What is FIPS?
>
> FIPS (Federal Information Processing Standards) are a set of standards that
> describe document processing, encryption algorithms and other information
> technology standards for use within non-military government agencies and by
> government contractors and vendors who work with the agencies.
>
> > 2. Why is the FIPS version safer exactly?
>
> FIPS standard is strict. When using the FIPS version, this is also very
> strict and standard.
>
> > 3. What is bouncycastle used exactly in Pulsar?
>
> We use the bouncycastle as the TLS provider,  and used for the end-to-end
> message encryption.
>
> Thanks,
> Zixuan
>
> Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
>
> > Can you elaborate a bit:
> > 1. What is FIPS?
> > 2. Why is the FIPS version safer exactly?
> > 3. What is bouncycastle used exactly in Pulsar?
> >
> >
> >
> > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > I would like to discuss using the bouncycastle fips instead of the
> > > bouncycastle non-fips.
> > >
> > > The bouncycastle is a Java library that complements the default Java
> > > Cryptographic Extension (JCE), which has two versions: fips version and
> > > non-fips version.
> > >
> > > The fips version is safer than non-fips. When the security level is
> very
> > > high, many policies require the fips version, but the Pulsar default
> uses
> > > the non-fips version. Switch this is complex, because
> > > the `pulsar-client-messagecrypto-bc` module and root project depends on
> > the
> > > non-fips, so I suggest we switch to fips version from non-fips.
> > >
> > > Reference:
> > > - https://www.bouncycastle.org/
> > > - https://www.bouncycastle.org/fips_faq.html
> > > -
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > >
> > > Thanks,
> > > Zixuan
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

Thanks @Michael for the context!

> 2020-10-28 01:53:06 UTC - jia zhai: we could consider that in the future.
current way is to align with the old manner.  usually user will provide
their own security jars, such as BouncyCastle, and non-fips version maybe
used in a more wide range.

That's valuable, but if we use the BouncyCastle stuff + FIPS compliance, it
would be better(From a safety point of view). I will try to communicate
with jia offline.

> Also, do we need to update our cryptography notice on our README about
our bouncy castle usage [4] if we make this the default?

Sure, we should update this notice. Right now we are using the `Conscrypt`
and `netty-tcnative` to provide the SSL.

Thanks,
Zixuan

Michael Marshall <mm...@apache.org> 于2023年2月23日周四 04:11写道：

> I am +1, but I am not familiar with the nuanced differences of these
> jars, so it'd be valuable to get other opinions, too.
>
> I tried to understand why the default is the way it is, and it looks
> like Jia Zhai was involved in the initial work [0].
>
> I see in the slack digest on our mailing list that there is an
> indication that we could make the FIPS version the default. Here are
> some relevant messages from the ML [1][2][3]
>
> > 2020-10-26 06:43:48 UTC - Anup Ghatage: I noticed that Pulsar doesn’t
> have BouncyCastle FIPS switched on by default but the documentation leaves
> it up to the implementers to choose.
> Is there any specific reason for this? I thought BC-FIPS comes with
> the usual BouncyCastle stuff + FIPS compliance (which would be a good
> thing) right?
> > 2020-10-26 08:37:13 UTC - Sijie Guo: @jia zhai would have a better
> answer for it.
> > 2020-10-26 12:59:16 UTC - jia zhai: @Sijie Guo @Anup Ghatage right,
> there is no specific reason for this. It seems be more related to the
> project building,  we may need to config the profile to build different bc
> type. but this seems a little hard in maven:joy:.
> It would be helpful, if anyone would like to contribute to this feature.
> > 2020-10-26 16:31:57 UTC - Anup Ghatage: I’m thinking why not keep it on
> by default? There aren’t any API differences for the most part. That way
> Pulsar will be FIPS compliant all the time.
> > 2020-10-28 01:53:06 UTC - jia zhai: we could consider that in the
> future. current way is to align with the old manner.  usually user will
> provide their own security jars, such as BouncyCastle, and non-fips version
> maybe used in a more wide range.
>
> Also, do we need to update our cryptography notice on our README about
> our bouncy castle usage [4] if we make this the default?
>
> Thanks,
> Michael
>
> [0] https://github.com/apache/pulsar/pull/6588
> [1] https://lists.apache.org/thread/fln8o94t0gxnd54fr7tn4hrjp23mj48r
> [2] https://lists.apache.org/thread/xmrhyo1fkdhm4l9xz0t66yk5pk5g5f6p
> [3] https://lists.apache.org/thread/fs8rx620oq7q7px1mqs3k7qdoz3oz0s4
> [4] https://github.com/apache/pulsar#crypto-notice
>
> On Wed, Feb 22, 2023 at 7:56 AM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > 1. What is FIPS?
> >
> > FIPS (Federal Information Processing Standards) are a set of standards
> that
> > describe document processing, encryption algorithms and other information
> > technology standards for use within non-military government agencies and
> by
> > government contractors and vendors who work with the agencies.
> >
> > > 2. Why is the FIPS version safer exactly?
> >
> > FIPS standard is strict. When using the FIPS version, this is also very
> > strict and standard.
> >
> > > 3. What is bouncycastle used exactly in Pulsar?
> >
> > We use the bouncycastle as the TLS provider,  and used for the end-to-end
> > message encryption.
> >
> > Thanks,
> > Zixuan
> >
> > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> >
> > > Can you elaborate a bit:
> > > 1. What is FIPS?
> > > 2. Why is the FIPS version safer exactly?
> > > 3. What is bouncycastle used exactly in Pulsar?
> > >
> > >
> > >
> > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I would like to discuss using the bouncycastle fips instead of the
> > > > bouncycastle non-fips.
> > > >
> > > > The bouncycastle is a Java library that complements the default Java
> > > > Cryptographic Extension (JCE), which has two versions: fips version
> and
> > > > non-fips version.
> > > >
> > > > The fips version is safer than non-fips. When the security level is
> very
> > > > high, many policies require the fips version, but the Pulsar default
> uses
> > > > the non-fips version. Switch this is complex, because
> > > > the `pulsar-client-messagecrypto-bc` module and root project depends
> on
> > > the
> > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > >
> > > > Reference:
> > > > - https://www.bouncycastle.org/
> > > > - https://www.bouncycastle.org/fips_faq.html
> > > > -
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > >
> > > > Thanks,
> > > > Zixuan
> > > >
> > >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Michael Marshall <mm...@apache.org>.

I am +1, but I am not familiar with the nuanced differences of these
jars, so it'd be valuable to get other opinions, too.

I tried to understand why the default is the way it is, and it looks
like Jia Zhai was involved in the initial work [0].

I see in the slack digest on our mailing list that there is an
indication that we could make the FIPS version the default. Here are
some relevant messages from the ML [1][2][3]

> 2020-10-26 06:43:48 UTC - Anup Ghatage: I noticed that Pulsar doesn’t have BouncyCastle FIPS switched on by default but the documentation leaves it up to the implementers to choose.
Is there any specific reason for this? I thought BC-FIPS comes with
the usual BouncyCastle stuff + FIPS compliance (which would be a good
thing) right?
> 2020-10-26 08:37:13 UTC - Sijie Guo: @jia zhai would have a better answer for it.
> 2020-10-26 12:59:16 UTC - jia zhai: @Sijie Guo @Anup Ghatage right, there is no specific reason for this. It seems be more related to the project building,  we may need to config the profile to build different bc type. but this seems a little hard in maven:joy:.
It would be helpful, if anyone would like to contribute to this feature.
> 2020-10-26 16:31:57 UTC - Anup Ghatage: I’m thinking why not keep it on by default? There aren’t any API differences for the most part. That way Pulsar will be FIPS compliant all the time.
> 2020-10-28 01:53:06 UTC - jia zhai: we could consider that in the future. current way is to align with the old manner.  usually user will provide their own security jars, such as BouncyCastle, and non-fips version maybe used in a more wide range.

Also, do we need to update our cryptography notice on our README about
our bouncy castle usage [4] if we make this the default?

Thanks,
Michael

[0] https://github.com/apache/pulsar/pull/6588
[1] https://lists.apache.org/thread/fln8o94t0gxnd54fr7tn4hrjp23mj48r
[2] https://lists.apache.org/thread/xmrhyo1fkdhm4l9xz0t66yk5pk5g5f6p
[3] https://lists.apache.org/thread/fs8rx620oq7q7px1mqs3k7qdoz3oz0s4
[4] https://github.com/apache/pulsar#crypto-notice

On Wed, Feb 22, 2023 at 7:56 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > 1. What is FIPS?
>
> FIPS (Federal Information Processing Standards) are a set of standards that
> describe document processing, encryption algorithms and other information
> technology standards for use within non-military government agencies and by
> government contractors and vendors who work with the agencies.
>
> > 2. Why is the FIPS version safer exactly?
>
> FIPS standard is strict. When using the FIPS version, this is also very
> strict and standard.
>
> > 3. What is bouncycastle used exactly in Pulsar?
>
> We use the bouncycastle as the TLS provider,  and used for the end-to-end
> message encryption.
>
> Thanks,
> Zixuan
>
> Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
>
> > Can you elaborate a bit:
> > 1. What is FIPS?
> > 2. Why is the FIPS version safer exactly?
> > 3. What is bouncycastle used exactly in Pulsar?
> >
> >
> >
> > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > I would like to discuss using the bouncycastle fips instead of the
> > > bouncycastle non-fips.
> > >
> > > The bouncycastle is a Java library that complements the default Java
> > > Cryptographic Extension (JCE), which has two versions: fips version and
> > > non-fips version.
> > >
> > > The fips version is safer than non-fips. When the security level is very
> > > high, many policies require the fips version, but the Pulsar default uses
> > > the non-fips version. Switch this is complex, because
> > > the `pulsar-client-messagecrypto-bc` module and root project depends on
> > the
> > > non-fips, so I suggest we switch to fips version from non-fips.
> > >
> > > Reference:
> > > - https://www.bouncycastle.org/
> > > - https://www.bouncycastle.org/fips_faq.html
> > > - https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > >
> > > Thanks,
> > > Zixuan
> > >
> >

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> 1. What is FIPS?

FIPS (Federal Information Processing Standards) are a set of standards that
describe document processing, encryption algorithms and other information
technology standards for use within non-military government agencies and by
government contractors and vendors who work with the agencies.

> 2. Why is the FIPS version safer exactly?

FIPS standard is strict. When using the FIPS version, this is also very
strict and standard.

> 3. What is bouncycastle used exactly in Pulsar?

We use the bouncycastle as the TLS provider,  and used for the end-to-end
message encryption.

Thanks,
Zixuan

Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：

> Can you elaborate a bit:
> 1. What is FIPS?
> 2. Why is the FIPS version safer exactly?
> 3. What is bouncycastle used exactly in Pulsar?
>
>
>
> On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > Hi all,
> >
> > I would like to discuss using the bouncycastle fips instead of the
> > bouncycastle non-fips.
> >
> > The bouncycastle is a Java library that complements the default Java
> > Cryptographic Extension (JCE), which has two versions: fips version and
> > non-fips version.
> >
> > The fips version is safer than non-fips. When the security level is very
> > high, many policies require the fips version, but the Pulsar default uses
> > the non-fips version. Switch this is complex, because
> > the `pulsar-client-messagecrypto-bc` module and root project depends on
> the
> > non-fips, so I suggest we switch to fips version from non-fips.
> >
> > Reference:
> > - https://www.bouncycastle.org/
> > - https://www.bouncycastle.org/fips_faq.html
> > - https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> >
> > Thanks,
> > Zixuan
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Asaf Mesika <as...@gmail.com>.

Can you elaborate a bit:
1. What is FIPS?
2. Why is the FIPS version safer exactly?
3. What is bouncycastle used exactly in Pulsar?



On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com> wrote:

> Hi all,
>
> I would like to discuss using the bouncycastle fips instead of the
> bouncycastle non-fips.
>
> The bouncycastle is a Java library that complements the default Java
> Cryptographic Extension (JCE), which has two versions: fips version and
> non-fips version.
>
> The fips version is safer than non-fips. When the security level is very
> high, many policies require the fips version, but the Pulsar default uses
> the non-fips version. Switch this is complex, because
> the `pulsar-client-messagecrypto-bc` module and root project depends on the
> non-fips, so I suggest we switch to fips version from non-fips.
>
> Reference:
> - https://www.bouncycastle.org/
> - https://www.bouncycastle.org/fips_faq.html
> - https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
>
> Thanks,
> Zixuan
>