Cloud Global

 View Only
  • 1.  Cipher suites

    Posted Tue February 09, 2021 11:47 AM
    For applications hosted in IBM Public Cloud's K8 cluster as per PEN test results:
    1)Weak Cipher Suites - ROBOT Attack : Vulnerable cipher suites are supported by the server
    2)Weak cipher suites were detected : Perfect Forward Secrecy is not supported

    Is there an explanation of why Vulnerable cipher suites are supported by IBM cloud?


    ------------------------------
    Saurabh Gupta
    ------------------------------


  • 2.  RE: Cipher suites

    Posted Tue February 09, 2021 01:39 PM
    Hiiii





  • 3.  RE: Cipher suites

    Posted Tue February 09, 2021 01:57 PM
    yes.

    Does IBM Public Cloud support PFS by using cipher suites with ECDHE - Elliptic Curve Diffie-Hellman Ephemeral and DHE - Diffie-Hellman Ephemeral key exchanges?

    ------------------------------
    Saurabh Gupta
    ------------------------------



  • 4.  RE: Cipher suites

    Posted Thu February 11, 2021 01:19 AM
    I haven't heard of K8s having a native FIPS support on its own.  Should we assume you are asking about integrating with a HSM like Cloud HSM, Key Protect, or Hyper Protect Crypto Services?  ECDHE cipher and/or PFS support typically depends on the HSM model you are integrating with.

    Cloud HSM & Key Protect are backed by Thales HSM.  Last I heard, the models we use supported ECDHE & PFS both.  But I do recommend double checking the current model by opening a Support case.

    I can't seem to find the factsheet on the supported cipher suites for HPCS...  I also recommend opening a Support case should you choose HPCS path.

    Docs: Cloud HSM
    Docs: Key Protect - Container service integrations
    Docs: HPCS - Integrating with container services



    ------------------------------
    Eri Hattori
    ------------------------------



  • 5.  RE: Cipher suites

    Posted Mon March 08, 2021 09:24 AM
    Edited by Saurabh Gupta Mon March 08, 2021 12:53 PM
    Hi Eri,

    Even I couldn't find any factsheet, audit report that mentions support for stronger Cipher Suites but mitigates successfully by creating SSL connections i.e. RSA encryption based key exchanges in TLS.

    ------------------------------
    Saurabh Gupta
    ------------------------------



  • 6.  RE: Cipher suites

    Posted Mon March 08, 2021 09:17 PM
    Hi Saurabh,

    Great to hear! SSL/TLS is great for data-in-transit security :-) 

    Here is a great use case mapping to secure your data as much as possible: https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-manage-secrets-ibm-cloud

    I noticed you are an IBMer, so just FYI for me and you, I've looped you in to an email to Z-as-a-Service OM and GTM team for HPCS supported ciphers inquiry.

    ------------------------------
    Eri Hattori
    ------------------------------