[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Better encryption than 3DES and Blowfish in HTCondor?

Hi Wes,

As you can see by my e-mail address, I'm in a similar sphere as you; I've worked in support of the BMDS on Patriot, LTAMDS, THAAD, SBX-1, and others over the years.

You'll likely be interested in the FIPS-mode compatible release of HTCondor, available at https://research.cs.wisc.edu/htcondor/yum/fips/

The original HTCondor protocol uses MD5 for message integrity checks, which is blocked when a Linux kernel has FIPS 140-2 enforcement enabled, meaning that the stock version of HTCondor can't be started with fips=1 on the kernel command line.

The FIPS HTCondor release (which they started crafting in April 2018, and gave me a beta release for LTAMDS in July 2018 - kudos to Zach Miller!) switches from using MD5 to SHA1. That, in conjunction with configuring the system to remove Blowfish (which is not FIPS-approved) from the "SEC_DEFAULT_CRYPTO_METHODS" list (recent versions made it the default),  enables the software to run on FIPS-mode Linux systems. 

The caveat is that the FIPS and non-FIPS HTCondor installations can't communicate with each other, since the SHA1 hash is longer than the MD5 hash and necessitated a change in the protocol packet format. Addressing backwards compatibility is an extremely sticky problem which has prevented integration of FIPS support into the main release branch.

At the moment, 3DES and Blowfish are the only crypto methods available, and only 3DES is FIPS 140-2-approved. I'll defer to the dev team as to their AES plans. Todd Tannenbaum, a leader of the HTCondor development team, mentioned AES support in a presentation to the European HTCondor Workshop in September 2019, in which he indicated they're considering doing TLS 1.3 for everything by default, particularly in light of AES acceleration in newer Intel chips, so it's definitely "on their radar."
>(-   ) ) )  )  )  )

However, the fact that 3DES is much slower than Blowfish isn't really perceptible to the users, or even most administrators, and has no meaningful impact at all on the performance of the software on modern systems.

Michael V Pelletier
Principal Engineer

Raytheon Technologies
Information Technology
Digital Transormation & Innovation

-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Wesley Taylor
Sent: Monday, June 22, 2020 3:24 PM
To: htcondor-users@xxxxxxxxxxx
Subject: [External] [HTCondor-users] Better encryption than 3DES and Blowfish in HTCondor?


I am looking to migrate my company's computing resources to HTCondor, but we have some pretty strict security policies. I was reading in the readthedocs about using encryption with HTCondor (https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=use%20SECURITY#encryption) and noticed the only algorithms listed were 3DES and Blowfish. I was wondering if HTCondor supported any newer encryption algorithms such as AES or if there were plans to do so. Thanks!

Wesley Taylor â Cluster Manager
Numerica Corporation (www.numerica.us)
5042 Technology Parkway #100
Fort Collins, Colorado 80528
âï (970) 207 2232
ð wesley.taylor@xxxxxxxxxxx