You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Asaf Mesika <as...@gmail.com> on 2023/03/01 13:19:37 UTC

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:

> > users might get exceptions if they don't use specific algorithms or
> encryption schemes?
>
> Could you share more info about this?
>

Actually I was expecting that part of the discussion will specify the
difference between using FIPS compared with non-FIPS, in each BouncyCastle
usage: TLS and message encryption.

 I imagined that FIPS has a shorter list of ciphers it supports.



> Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
>
> > So if I understand you correctly, once you switch to the FIPS version of
> > Bouncy Castle, users might get exceptions if they don't use specific
> > algorithms or encryption schemes?
> > Potentially a breaking change?
> > You can't switch it off via config?
> >
> > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > 1. What is FIPS?
> > >
> > > FIPS (Federal Information Processing Standards) are a set of standards
> > that
> > > describe document processing, encryption algorithms and other
> information
> > > technology standards for use within non-military government agencies
> and
> > by
> > > government contractors and vendors who work with the agencies.
> > >
> > > > 2. Why is the FIPS version safer exactly?
> > >
> > > FIPS standard is strict. When using the FIPS version, this is also very
> > > strict and standard.
> > >
> > > > 3. What is bouncycastle used exactly in Pulsar?
> > >
> > > We use the bouncycastle as the TLS provider,  and used for the
> end-to-end
> > > message encryption.
> > >
> > > Thanks,
> > > Zixuan
> > >
> > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > >
> > > > Can you elaborate a bit:
> > > > 1. What is FIPS?
> > > > 2. Why is the FIPS version safer exactly?
> > > > 3. What is bouncycastle used exactly in Pulsar?
> > > >
> > > >
> > > >
> > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > I would like to discuss using the bouncycastle fips instead of the
> > > > > bouncycastle non-fips.
> > > > >
> > > > > The bouncycastle is a Java library that complements the default
> Java
> > > > > Cryptographic Extension (JCE), which has two versions: fips version
> > and
> > > > > non-fips version.
> > > > >
> > > > > The fips version is safer than non-fips. When the security level is
> > > very
> > > > > high, many policies require the fips version, but the Pulsar
> default
> > > uses
> > > > > the non-fips version. Switch this is complex, because
> > > > > the `pulsar-client-messagecrypto-bc` module and root project
> depends
> > on
> > > > the
> > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > >
> > > > > Reference:
> > > > > - https://www.bouncycastle.org/
> > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > -
> > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > >
> > > > > Thanks,
> > > > > Zixuan
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> So it means the change is only on the client side, not the broker side?

pulsar-functions also depend on BC. In the Pulsar, we only use the BC or
BC-FIPS, right now we are using the BC.

> we could consider that in the future. current way is to align with the
old manner.
I talked to jia,  BC is used for compatibility with old users.


Maybe we shouldn't break that.

Asaf Mesika <as...@gmail.com> 于2023年3月6日周一 20:03写道：

> So it means the change is only on the client side, not the broker side?
>
>
> On Fri, Mar 3, 2023 at 11:42 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > Hi all,
> >
> > We only use the BC to encrypt the message, not TLS, so I think we can
> > migrate to the BC-FIPS.
> >
> > If you think it's feasible, I'll try to do it, and if it doesn't pass the
> > Pulsar test, I'll keep using the BC.
> >
> > Thanks,
> > Zixuan
> >
> >
> >
> > YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：
> >
> > > BC and BC-FIPS differences are the cipher suites. This is similar to
> > TLS1.1
> > > vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> > > compute power improvement).
> > > in TLS 1.3, client has no chance to specific weak cipher suites to
> > connect
> > > to server and exploit the weakness.
> > > For BC-FIPS harden pulsar cluster, brokers should reject connections
> from
> > > clients with BC (clients must use Security.provider bc-fips).
> > > For BC non fips cluster, it should be flexible. client with bc-fips or
> bc
> > > should be able to connect to pulsar (bc).
> > >
> > > <https://streamnative.io>
> > >
> > >
> > > Yu Wei Sung
> > >
> > > Sr. Solutions Engineer
> > >
> > >
> > > streamnative.io
> > >
> > > <http://github.com/streamnative>
> > > <https://www.linkedin.com/company/streamnative/>
> > > <https://twitter.com/streamnativeio/>
> > >
> > >
> > > On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > Actually I was expecting that part of the discussion will specify
> the
> > > > > difference between using FIPS compared with non-FIPS, in each
> > > > BouncyCastle
> > > > > usage: TLS and message encryption.
> > > >
> > > > Good catch! I'll check this.
> > > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> > > >
> > > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > > users might get exceptions if they don't use specific
> algorithms
> > or
> > > > > > encryption schemes?
> > > > > >
> > > > > > Could you share more info about this?
> > > > > >
> > > > >
> > > > > Actually I was expecting that part of the discussion will specify
> the
> > > > > difference between using FIPS compared with non-FIPS, in each
> > > > BouncyCastle
> > > > > usage: TLS and message encryption.
> > > > >
> > > > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > > > >
> > > > >
> > > > >
> > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > > > >
> > > > > > > So if I understand you correctly, once you switch to the FIPS
> > > version
> > > > > of
> > > > > > > Bouncy Castle, users might get exceptions if they don't use
> > > specific
> > > > > > > algorithms or encryption schemes?
> > > > > > > Potentially a breaking change?
> > > > > > > You can't switch it off via config?
> > > > > > >
> > > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > > > wrote:
> > > > > > >
> > > > > > > > > 1. What is FIPS?
> > > > > > > >
> > > > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > > > standards
> > > > > > > that
> > > > > > > > describe document processing, encryption algorithms and other
> > > > > > information
> > > > > > > > technology standards for use within non-military government
> > > > agencies
> > > > > > and
> > > > > > > by
> > > > > > > > government contractors and vendors who work with the
> agencies.
> > > > > > > >
> > > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > >
> > > > > > > > FIPS standard is strict. When using the FIPS version, this is
> > > also
> > > > > very
> > > > > > > > strict and standard.
> > > > > > > >
> > > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > >
> > > > > > > > We use the bouncycastle as the TLS provider,  and used for
> the
> > > > > > end-to-end
> > > > > > > > message encryption.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Zixuan
> > > > > > > >
> > > > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > > > >
> > > > > > > > > Can you elaborate a bit:
> > > > > > > > > 1. What is FIPS?
> > > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <
> > nodeces@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > I would like to discuss using the bouncycastle fips
> instead
> > > of
> > > > > the
> > > > > > > > > > bouncycastle non-fips.
> > > > > > > > > >
> > > > > > > > > > The bouncycastle is a Java library that complements the
> > > default
> > > > > > Java
> > > > > > > > > > Cryptographic Extension (JCE), which has two versions:
> fips
> > > > > version
> > > > > > > and
> > > > > > > > > > non-fips version.
> > > > > > > > > >
> > > > > > > > > > The fips version is safer than non-fips. When the
> security
> > > > level
> > > > > is
> > > > > > > > very
> > > > > > > > > > high, many policies require the fips version, but the
> > Pulsar
> > > > > > default
> > > > > > > > uses
> > > > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > > > the `pulsar-client-messagecrypto-bc` module and root
> > project
> > > > > > depends
> > > > > > > on
> > > > > > > > > the
> > > > > > > > > > non-fips, so I suggest we switch to fips version from
> > > non-fips.
> > > > > > > > > >
> > > > > > > > > > Reference:
> > > > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > > > -
> > > > > > > >
> > > > >
> > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Zixuan
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Asaf Mesika <as...@gmail.com>.

So it means the change is only on the client side, not the broker side?


On Fri, Mar 3, 2023 at 11:42 AM Zixuan Liu <no...@gmail.com> wrote:

> Hi all,
>
> We only use the BC to encrypt the message, not TLS, so I think we can
> migrate to the BC-FIPS.
>
> If you think it's feasible, I'll try to do it, and if it doesn't pass the
> Pulsar test, I'll keep using the BC.
>
> Thanks,
> Zixuan
>
>
>
> YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：
>
> > BC and BC-FIPS differences are the cipher suites. This is similar to
> TLS1.1
> > vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> > compute power improvement).
> > in TLS 1.3, client has no chance to specific weak cipher suites to
> connect
> > to server and exploit the weakness.
> > For BC-FIPS harden pulsar cluster, brokers should reject connections from
> > clients with BC (clients must use Security.provider bc-fips).
> > For BC non fips cluster, it should be flexible. client with bc-fips or bc
> > should be able to connect to pulsar (bc).
> >
> > <https://streamnative.io>
> >
> >
> > Yu Wei Sung
> >
> > Sr. Solutions Engineer
> >
> >
> > streamnative.io
> >
> > <http://github.com/streamnative>
> > <https://www.linkedin.com/company/streamnative/>
> > <https://twitter.com/streamnativeio/>
> >
> >
> > On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > Actually I was expecting that part of the discussion will specify the
> > > > difference between using FIPS compared with non-FIPS, in each
> > > BouncyCastle
> > > > usage: TLS and message encryption.
> > >
> > > Good catch! I'll check this.
> > >
> > > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> > >
> > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > > users might get exceptions if they don't use specific algorithms
> or
> > > > > encryption schemes?
> > > > >
> > > > > Could you share more info about this?
> > > > >
> > > >
> > > > Actually I was expecting that part of the discussion will specify the
> > > > difference between using FIPS compared with non-FIPS, in each
> > > BouncyCastle
> > > > usage: TLS and message encryption.
> > > >
> > > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > > >
> > > >
> > > >
> > > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > > >
> > > > > > So if I understand you correctly, once you switch to the FIPS
> > version
> > > > of
> > > > > > Bouncy Castle, users might get exceptions if they don't use
> > specific
> > > > > > algorithms or encryption schemes?
> > > > > > Potentially a breaking change?
> > > > > > You can't switch it off via config?
> > > > > >
> > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > > > 1. What is FIPS?
> > > > > > >
> > > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > > standards
> > > > > > that
> > > > > > > describe document processing, encryption algorithms and other
> > > > > information
> > > > > > > technology standards for use within non-military government
> > > agencies
> > > > > and
> > > > > > by
> > > > > > > government contractors and vendors who work with the agencies.
> > > > > > >
> > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > >
> > > > > > > FIPS standard is strict. When using the FIPS version, this is
> > also
> > > > very
> > > > > > > strict and standard.
> > > > > > >
> > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > >
> > > > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > > > end-to-end
> > > > > > > message encryption.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Zixuan
> > > > > > >
> > > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > > >
> > > > > > > > Can you elaborate a bit:
> > > > > > > > 1. What is FIPS?
> > > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <
> nodeces@gmail.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > I would like to discuss using the bouncycastle fips instead
> > of
> > > > the
> > > > > > > > > bouncycastle non-fips.
> > > > > > > > >
> > > > > > > > > The bouncycastle is a Java library that complements the
> > default
> > > > > Java
> > > > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > > > version
> > > > > > and
> > > > > > > > > non-fips version.
> > > > > > > > >
> > > > > > > > > The fips version is safer than non-fips. When the security
> > > level
> > > > is
> > > > > > > very
> > > > > > > > > high, many policies require the fips version, but the
> Pulsar
> > > > > default
> > > > > > > uses
> > > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > > the `pulsar-client-messagecrypto-bc` module and root
> project
> > > > > depends
> > > > > > on
> > > > > > > > the
> > > > > > > > > non-fips, so I suggest we switch to fips version from
> > non-fips.
> > > > > > > > >
> > > > > > > > > Reference:
> > > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > > -
> > > > > > >
> > > >
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Zixuan
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

Hi all,

We only use the BC to encrypt the message, not TLS, so I think we can
migrate to the BC-FIPS.

If you think it's feasible, I'll try to do it, and if it doesn't pass the
Pulsar test, I'll keep using the BC.

Thanks,
Zixuan



YuWei Sung <yu...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道：

> BC and BC-FIPS differences are the cipher suites. This is similar to TLS1.1
> vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
> compute power improvement).
> in TLS 1.3, client has no chance to specific weak cipher suites to connect
> to server and exploit the weakness.
> For BC-FIPS harden pulsar cluster, brokers should reject connections from
> clients with BC (clients must use Security.provider bc-fips).
> For BC non fips cluster, it should be flexible. client with bc-fips or bc
> should be able to connect to pulsar (bc).
>
> <https://streamnative.io>
>
>
> Yu Wei Sung
>
> Sr. Solutions Engineer
>
>
> streamnative.io
>
> <http://github.com/streamnative>
> <https://www.linkedin.com/company/streamnative/>
> <https://twitter.com/streamnativeio/>
>
>
> On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > > Actually I was expecting that part of the discussion will specify the
> > > difference between using FIPS compared with non-FIPS, in each
> > BouncyCastle
> > > usage: TLS and message encryption.
> >
> > Good catch! I'll check this.
> >
> > Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
> >
> > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > users might get exceptions if they don't use specific algorithms or
> > > > encryption schemes?
> > > >
> > > > Could you share more info about this?
> > > >
> > >
> > > Actually I was expecting that part of the discussion will specify the
> > > difference between using FIPS compared with non-FIPS, in each
> > BouncyCastle
> > > usage: TLS and message encryption.
> > >
> > >  I imagined that FIPS has a shorter list of ciphers it supports.
> > >
> > >
> > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > > >
> > > > > So if I understand you correctly, once you switch to the FIPS
> version
> > > of
> > > > > Bouncy Castle, users might get exceptions if they don't use
> specific
> > > > > algorithms or encryption schemes?
> > > > > Potentially a breaking change?
> > > > > You can't switch it off via config?
> > > > >
> > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > > 1. What is FIPS?
> > > > > >
> > > > > > FIPS (Federal Information Processing Standards) are a set of
> > > standards
> > > > > that
> > > > > > describe document processing, encryption algorithms and other
> > > > information
> > > > > > technology standards for use within non-military government
> > agencies
> > > > and
> > > > > by
> > > > > > government contractors and vendors who work with the agencies.
> > > > > >
> > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > >
> > > > > > FIPS standard is strict. When using the FIPS version, this is
> also
> > > very
> > > > > > strict and standard.
> > > > > >
> > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > >
> > > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > > end-to-end
> > > > > > message encryption.
> > > > > >
> > > > > > Thanks,
> > > > > > Zixuan
> > > > > >
> > > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > > >
> > > > > > > Can you elaborate a bit:
> > > > > > > 1. What is FIPS?
> > > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <nodeces@gmail.com
> >
> > > > wrote:
> > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > I would like to discuss using the bouncycastle fips instead
> of
> > > the
> > > > > > > > bouncycastle non-fips.
> > > > > > > >
> > > > > > > > The bouncycastle is a Java library that complements the
> default
> > > > Java
> > > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > > version
> > > > > and
> > > > > > > > non-fips version.
> > > > > > > >
> > > > > > > > The fips version is safer than non-fips. When the security
> > level
> > > is
> > > > > > very
> > > > > > > > high, many policies require the fips version, but the Pulsar
> > > > default
> > > > > > uses
> > > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > > > depends
> > > > > on
> > > > > > > the
> > > > > > > > non-fips, so I suggest we switch to fips version from
> non-fips.
> > > > > > > >
> > > > > > > > Reference:
> > > > > > > > - https://www.bouncycastle.org/
> > > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > > -
> > > > > >
> > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Zixuan
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by YuWei Sung <yu...@streamnative.io.INVALID>.

BC and BC-FIPS differences are the cipher suites. This is similar to TLS1.1
vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to
compute power improvement).
in TLS 1.3, client has no chance to specific weak cipher suites to connect
to server and exploit the weakness.
For BC-FIPS harden pulsar cluster, brokers should reject connections from
clients with BC (clients must use Security.provider bc-fips).
For BC non fips cluster, it should be flexible. client with bc-fips or bc
should be able to connect to pulsar (bc).

<https://streamnative.io>


Yu Wei Sung

Sr. Solutions Engineer


streamnative.io

<http://github.com/streamnative>
<https://www.linkedin.com/company/streamnative/>
<https://twitter.com/streamnativeio/>


On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <no...@gmail.com> wrote:

> > Actually I was expecting that part of the discussion will specify the
> > difference between using FIPS compared with non-FIPS, in each
> BouncyCastle
> > usage: TLS and message encryption.
>
> Good catch! I'll check this.
>
> Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：
>
> > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
> >
> > > > users might get exceptions if they don't use specific algorithms or
> > > encryption schemes?
> > >
> > > Could you share more info about this?
> > >
> >
> > Actually I was expecting that part of the discussion will specify the
> > difference between using FIPS compared with non-FIPS, in each
> BouncyCastle
> > usage: TLS and message encryption.
> >
> >  I imagined that FIPS has a shorter list of ciphers it supports.
> >
> >
> >
> > > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> > >
> > > > So if I understand you correctly, once you switch to the FIPS version
> > of
> > > > Bouncy Castle, users might get exceptions if they don't use specific
> > > > algorithms or encryption schemes?
> > > > Potentially a breaking change?
> > > > You can't switch it off via config?
> > > >
> > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com>
> wrote:
> > > >
> > > > > > 1. What is FIPS?
> > > > >
> > > > > FIPS (Federal Information Processing Standards) are a set of
> > standards
> > > > that
> > > > > describe document processing, encryption algorithms and other
> > > information
> > > > > technology standards for use within non-military government
> agencies
> > > and
> > > > by
> > > > > government contractors and vendors who work with the agencies.
> > > > >
> > > > > > 2. Why is the FIPS version safer exactly?
> > > > >
> > > > > FIPS standard is strict. When using the FIPS version, this is also
> > very
> > > > > strict and standard.
> > > > >
> > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > >
> > > > > We use the bouncycastle as the TLS provider,  and used for the
> > > end-to-end
> > > > > message encryption.
> > > > >
> > > > > Thanks,
> > > > > Zixuan
> > > > >
> > > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > > >
> > > > > > Can you elaborate a bit:
> > > > > > 1. What is FIPS?
> > > > > > 2. Why is the FIPS version safer exactly?
> > > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I would like to discuss using the bouncycastle fips instead of
> > the
> > > > > > > bouncycastle non-fips.
> > > > > > >
> > > > > > > The bouncycastle is a Java library that complements the default
> > > Java
> > > > > > > Cryptographic Extension (JCE), which has two versions: fips
> > version
> > > > and
> > > > > > > non-fips version.
> > > > > > >
> > > > > > > The fips version is safer than non-fips. When the security
> level
> > is
> > > > > very
> > > > > > > high, many policies require the fips version, but the Pulsar
> > > default
> > > > > uses
> > > > > > > the non-fips version. Switch this is complex, because
> > > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > > depends
> > > > on
> > > > > > the
> > > > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > > > >
> > > > > > > Reference:
> > > > > > > - https://www.bouncycastle.org/
> > > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > > -
> > > > >
> > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Zixuan
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: [DISCUSS] Using bouncycastle fips instead bouncycastle non-fips

Posted by Zixuan Liu <no...@gmail.com>.

> Actually I was expecting that part of the discussion will specify the
> difference between using FIPS compared with non-FIPS, in each BouncyCastle
> usage: TLS and message encryption.

Good catch! I'll check this.

Asaf Mesika <as...@gmail.com> 于2023年3月1日周三 21:19写道：

> On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <no...@gmail.com> wrote:
>
> > > users might get exceptions if they don't use specific algorithms or
> > encryption schemes?
> >
> > Could you share more info about this?
> >
>
> Actually I was expecting that part of the discussion will specify the
> difference between using FIPS compared with non-FIPS, in each BouncyCastle
> usage: TLS and message encryption.
>
>  I imagined that FIPS has a shorter list of ciphers it supports.
>
>
>
> > Asaf Mesika <as...@gmail.com> 于2023年2月27日周一 18:01写道：
> >
> > > So if I understand you correctly, once you switch to the FIPS version
> of
> > > Bouncy Castle, users might get exceptions if they don't use specific
> > > algorithms or encryption schemes?
> > > Potentially a breaking change?
> > > You can't switch it off via config?
> > >
> > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <no...@gmail.com> wrote:
> > >
> > > > > 1. What is FIPS?
> > > >
> > > > FIPS (Federal Information Processing Standards) are a set of
> standards
> > > that
> > > > describe document processing, encryption algorithms and other
> > information
> > > > technology standards for use within non-military government agencies
> > and
> > > by
> > > > government contractors and vendors who work with the agencies.
> > > >
> > > > > 2. Why is the FIPS version safer exactly?
> > > >
> > > > FIPS standard is strict. When using the FIPS version, this is also
> very
> > > > strict and standard.
> > > >
> > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > >
> > > > We use the bouncycastle as the TLS provider,  and used for the
> > end-to-end
> > > > message encryption.
> > > >
> > > > Thanks,
> > > > Zixuan
> > > >
> > > > Asaf Mesika <as...@gmail.com> 于2023年2月22日周三 21:23写道：
> > > >
> > > > > Can you elaborate a bit:
> > > > > 1. What is FIPS?
> > > > > 2. Why is the FIPS version safer exactly?
> > > > > 3. What is bouncycastle used exactly in Pulsar?
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <no...@gmail.com>
> > wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I would like to discuss using the bouncycastle fips instead of
> the
> > > > > > bouncycastle non-fips.
> > > > > >
> > > > > > The bouncycastle is a Java library that complements the default
> > Java
> > > > > > Cryptographic Extension (JCE), which has two versions: fips
> version
> > > and
> > > > > > non-fips version.
> > > > > >
> > > > > > The fips version is safer than non-fips. When the security level
> is
> > > > very
> > > > > > high, many policies require the fips version, but the Pulsar
> > default
> > > > uses
> > > > > > the non-fips version. Switch this is complex, because
> > > > > > the `pulsar-client-messagecrypto-bc` module and root project
> > depends
> > > on
> > > > > the
> > > > > > non-fips, so I suggest we switch to fips version from non-fips.
> > > > > >
> > > > > > Reference:
> > > > > > - https://www.bouncycastle.org/
> > > > > > - https://www.bouncycastle.org/fips_faq.html
> > > > > > -
> > > >
> https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
> > > > > >
> > > > > > Thanks,
> > > > > > Zixuan
> > > > > >
> > > > >
> > > >
> > >
> >
>