Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

post quantum via kyber #1141

Open
xyhhx opened this issue Oct 12, 2024 · 2 comments
Open

post quantum via kyber #1141

xyhhx opened this issue Oct 12, 2024 · 2 comments
Assignees
@FlorentinDUBOIS
Labels
question

Comments

@xyhhx
Copy link

xyhhx commented Oct 12, 2024
edited
Loading

rustls offers experimental post quantum crypto via kyber:
https://docs.rs/rustls-post-quantum/latest/rustls_post_quantum/

is this an option to enable for sozu? should it be considered if not?
@FlorentinDUBOIS
Copy link
Collaborator

Hello 👋,
Nice to meet you, I am glad that you are interested on Sōzu using Rustls. We do not have plan to change of crypto provider yet, maybe we should plan it. However, I am not a huge fan on introducing experimental features on Sōzu as we used for production and we want it to be as stable as possible. If we do implement another crypto provider today, it will be aws-lc in addition to ring, it will make more sense to me.

@FlorentinDUBOIS FlorentinDUBOIS self-assigned this Oct 14, 2024
@xyhhx
Copy link
Author

xyhhx commented Oct 25, 2024
edited
Loading

thanks for the reply! i was under the impression that sozu was already using rustls for crypto, which is why i was asking about it 😅

in any case, would you consider it as an optional feature that users could enable at their whim (i agree that enabling experimental features by default isn't a great idea)?

harvest now decrypt later1 is a real threat today. for those looking for a secure proxy for their servers who have this attack in their threat model, this would be a good feature for sozu to offer, even if opt-in. it's already an optional feature of other proxies2 like nginx3 and caddy4 (albeit if the user decides to compile them themselves, though in caddy's case this is trivial using xcaddy)

regarding aws-lc, it too offers post-quantum cryptography5, whereas ring is planning to add it but hasn't as of yet6

edit: sorry, re-reading my original comment i realize i misunderstood your reply. while ring doesn't offer ml-kem, and aws-lc-rs does, perhaps offering it as an opt-in feature is worth considering? i haven't really taken a deep look at the code to see how much work that'd entail

Footnotes

  1. https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later

  2. https://pq.cloudflareresearch.com/

  3. https://mailman.nginx.org/pipermail/nginx/2023-August/NOISOYU3QTB2DGIYUBGF7CAMQHDI2QLT.html

  4. https://gist.github.com/bwesterb/2f7bfa7ae689de0d242b56ea3ecac424

  5. https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/PQREADME.md

  6. https://github.com/briansmith/ring/issues/1685

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FlorentinDUBOIS FlorentinDUBOIS

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FlorentinDUBOIS @xyhhx