BC and BC-FIPS differences are the cipher suites. This is similar to TLS1.1 vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to compute power improvement). in TLS 1.3, client has no chance to specific weak cipher suites to connect to server and exploit the weakness. For BC-FIPS harden pulsar cluster, brokers should reject connections from clients with BC (clients must use Security.provider bc-fips). For BC non fips cluster, it should be flexible. client with bc-fips or bc should be able to connect to pulsar (bc).
<https://streamnative.io> Yu Wei Sung Sr. Solutions Engineer streamnative.io <http://github.com/streamnative> <https://www.linkedin.com/company/streamnative/> <https://twitter.com/streamnativeio/> On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <node...@gmail.com> wrote: > > Actually I was expecting that part of the discussion will specify the > > difference between using FIPS compared with non-FIPS, in each > BouncyCastle > > usage: TLS and message encryption. > > Good catch! I'll check this. > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年3月1日周三 21:19写道: > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <node...@gmail.com> wrote: > > > > > > users might get exceptions if they don't use specific algorithms or > > > encryption schemes? > > > > > > Could you share more info about this? > > > > > > > Actually I was expecting that part of the discussion will specify the > > difference between using FIPS compared with non-FIPS, in each > BouncyCastle > > usage: TLS and message encryption. > > > > I imagined that FIPS has a shorter list of ciphers it supports. > > > > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月27日周一 18:01写道: > > > > > > > So if I understand you correctly, once you switch to the FIPS version > > of > > > > Bouncy Castle, users might get exceptions if they don't use specific > > > > algorithms or encryption schemes? > > > > Potentially a breaking change? > > > > You can't switch it off via config? > > > > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <node...@gmail.com> > wrote: > > > > > > > > > > 1. What is FIPS? > > > > > > > > > > FIPS (Federal Information Processing Standards) are a set of > > standards > > > > that > > > > > describe document processing, encryption algorithms and other > > > information > > > > > technology standards for use within non-military government > agencies > > > and > > > > by > > > > > government contractors and vendors who work with the agencies. > > > > > > > > > > > 2. Why is the FIPS version safer exactly? > > > > > > > > > > FIPS standard is strict. When using the FIPS version, this is also > > very > > > > > strict and standard. > > > > > > > > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > > > We use the bouncycastle as the TLS provider, and used for the > > > end-to-end > > > > > message encryption. > > > > > > > > > > Thanks, > > > > > Zixuan > > > > > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月22日周三 21:23写道: > > > > > > > > > > > Can you elaborate a bit: > > > > > > 1. What is FIPS? > > > > > > 2. Why is the FIPS version safer exactly? > > > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <node...@gmail.com> > > > wrote: > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > I would like to discuss using the bouncycastle fips instead of > > the > > > > > > > bouncycastle non-fips. > > > > > > > > > > > > > > The bouncycastle is a Java library that complements the default > > > Java > > > > > > > Cryptographic Extension (JCE), which has two versions: fips > > version > > > > and > > > > > > > non-fips version. > > > > > > > > > > > > > > The fips version is safer than non-fips. When the security > level > > is > > > > > very > > > > > > > high, many policies require the fips version, but the Pulsar > > > default > > > > > uses > > > > > > > the non-fips version. Switch this is complex, because > > > > > > > the `pulsar-client-messagecrypto-bc` module and root project > > > depends > > > > on > > > > > > the > > > > > > > non-fips, so I suggest we switch to fips version from non-fips. > > > > > > > > > > > > > > Reference: > > > > > > > - https://www.bouncycastle.org/ > > > > > > > - https://www.bouncycastle.org/fips_faq.html > > > > > > > - > > > > > > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards > > > > > > > > > > > > > > Thanks, > > > > > > > Zixuan > > > > > > > > > > > > > > > > > > > > > > > > > > > >
