Cloud Global

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------

Original Message:
Sent: 2/9/2021 9:15:00 AM
From: Saurabh Gupta
Subject: Cipher suites

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------

yes.

Does IBM Public Cloud support PFS by using cipher suites with ECDHE - Elliptic Curve Diffie-Hellman Ephemeral and DHE - Diffie-Hellman Ephemeral key exchanges?

------------------------------
Saurabh Gupta
------------------------------

Original Message:
Sent: Tue February 09, 2021 01:04 PM
From: priyangshu sarkar
Subject: Cipher suites

Hiiii

Original Message:
Sent: 2/9/2021 9:15:00 AM
From: Saurabh Gupta
Subject: Cipher suites

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------

I haven't heard of K8s having a native FIPS support on its own.  Should we assume you are asking about integrating with a HSM like Cloud HSM, Key Protect, or Hyper Protect Crypto Services?  ECDHE cipher and/or PFS support typically depends on the HSM model you are integrating with.

Cloud HSM & Key Protect are backed by Thales HSM.  Last I heard, the models we use supported ECDHE & PFS both.  But I do recommend double checking the current model by opening a Support case.

I can't seem to find the factsheet on the supported cipher suites for HPCS...  I also recommend opening a Support case should you choose HPCS path.

Docs: Cloud HSM
Docs: Key Protect - Container service integrations
Docs: HPCS - Integrating with container services



------------------------------
Eri Hattori
------------------------------

Original Message:
Sent: Tue February 09, 2021 01:56 PM
From: Saurabh Gupta
Subject: Cipher suites

yes.

Does IBM Public Cloud support PFS by using cipher suites with ECDHE - Elliptic Curve Diffie-Hellman Ephemeral and DHE - Diffie-Hellman Ephemeral key exchanges?

------------------------------
Saurabh Gupta

Original Message:
Sent: Tue February 09, 2021 01:04 PM
From: priyangshu sarkar
Subject: Cipher suites

Hiiii

Original Message:
Sent: 2/9/2021 9:15:00 AM
From: Saurabh Gupta
Subject: Cipher suites

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------

Hi Eri,

Even I couldn't find any factsheet, audit report that mentions support for stronger Cipher Suites but mitigates successfully by creating SSL connections i.e. RSA encryption based key exchanges in TLS.

------------------------------
Saurabh Gupta
------------------------------

Original Message:
Sent: Thu February 11, 2021 01:18 AM
From: Eri Hattori
Subject: Cipher suites

I haven't heard of K8s having a native FIPS support on its own.  Should we assume you are asking about integrating with a HSM like Cloud HSM, Key Protect, or Hyper Protect Crypto Services?  ECDHE cipher and/or PFS support typically depends on the HSM model you are integrating with.

Cloud HSM & Key Protect are backed by Thales HSM.  Last I heard, the models we use supported ECDHE & PFS both.  But I do recommend double checking the current model by opening a Support case.

I can't seem to find the factsheet on the supported cipher suites for HPCS...  I also recommend opening a Support case should you choose HPCS path.

Docs: Cloud HSM
Docs: Key Protect - Container service integrations
Docs: HPCS - Integrating with container services



------------------------------
Eri Hattori

Original Message:
Sent: Tue February 09, 2021 01:56 PM
From: Saurabh Gupta
Subject: Cipher suites

yes.

Does IBM Public Cloud support PFS by using cipher suites with ECDHE - Elliptic Curve Diffie-Hellman Ephemeral and DHE - Diffie-Hellman Ephemeral key exchanges?

------------------------------
Saurabh Gupta

Original Message:
Sent: Tue February 09, 2021 01:04 PM
From: priyangshu sarkar
Subject: Cipher suites

Hiiii

Original Message:
Sent: 2/9/2021 9:15:00 AM
From: Saurabh Gupta
Subject: Cipher suites

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------

Hi Saurabh,

Great to hear! SSL/TLS is great for data-in-transit security :-) 

Here is a great use case mapping to secure your data as much as possible: https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-manage-secrets-ibm-cloud

I noticed you are an IBMer, so just FYI for me and you, I've looped you in to an email to Z-as-a-Service OM and GTM team for HPCS supported ciphers inquiry.

------------------------------
Eri Hattori
------------------------------

Original Message:
Sent: Mon March 08, 2021 09:24 AM
From: Saurabh Gupta
Subject: Cipher suites

Hi Eri,

Even I couldn't find any factsheet, audit report that mentions support for stronger Cipher Suites but mitigates successfully by creating SSL connections i.e. RSA encryption based key exchanges in TLS.

------------------------------
Saurabh Gupta

Original Message:
Sent: Thu February 11, 2021 01:18 AM
From: Eri Hattori
Subject: Cipher suites

I haven't heard of K8s having a native FIPS support on its own.  Should we assume you are asking about integrating with a HSM like Cloud HSM, Key Protect, or Hyper Protect Crypto Services?  ECDHE cipher and/or PFS support typically depends on the HSM model you are integrating with.

Cloud HSM & Key Protect are backed by Thales HSM.  Last I heard, the models we use supported ECDHE & PFS both.  But I do recommend double checking the current model by opening a Support case.

I can't seem to find the factsheet on the supported cipher suites for HPCS...  I also recommend opening a Support case should you choose HPCS path.

Docs: Cloud HSM
Docs: Key Protect - Container service integrations
Docs: HPCS - Integrating with container services



------------------------------
Eri Hattori

Original Message:
Sent: Tue February 09, 2021 01:56 PM
From: Saurabh Gupta
Subject: Cipher suites

yes.

Does IBM Public Cloud support PFS by using cipher suites with ECDHE - Elliptic Curve Diffie-Hellman Ephemeral and DHE - Diffie-Hellman Ephemeral key exchanges?

------------------------------
Saurabh Gupta

Original Message:
Sent: Tue February 09, 2021 01:04 PM
From: priyangshu sarkar
Subject: Cipher suites

Hiiii

Original Message:
Sent: 2/9/2021 9:15:00 AM
From: Saurabh Gupta
Subject: Cipher suites

For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


------------------------------
Saurabh Gupta
------------------------------