Author Topic: ALERT: GSKit 8.0.55.26+ & Post-Quantum Cryptography  (Read 81 times)

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2229
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
ALERT: GSKit 8.0.55.26+ & Post-Quantum Cryptography
« on: April 01, 2024, 07:09:00 AM »
IBM Global Security Kit is a library that is used by many IBM products to provide cryptographic functions - encrypting data, hashing passwords, etc.  It is generally a good security practise to keep your GSKit at the latest release version, to ensure the highest level of protection for your data and communications.

In one of the most recent FixPacks of GSKit (8.0.55.26+), IBM added 'post quantum cryptography' support to key databases.  "Post-Quantum Cryptography" ('PQC') refers to cryptographic methods that are resistant to factoring attacks against standard cryptographic methods that are quickly becoming feasible due to advances in quantum computing.  This change breaks CMOD v10.5.0.7 (and likely all lower versions).

With the latest GSKit Fixpack, there was no notification, no included README file, and no updated documentation released to describe the change.  It is considered bad software development practise to introduce a change that breaks upstream products, and enable that change by default in minor or 'fix' releases.

CMOD bears some of the responsibility for this issue, as it currently ignores the unreadable key database, didn't produce any error messages (or pass through the GSKit errors), and arssockd starts up, exposing an unresponsive SSL/TLS port on the server's network interface.  Only through extensive server tracing can a cryptic and uninformative GSKit error message be found.

This issue affects both server and client software.  Key Databases must be re-created for both using an undocumented option in order to work with the latest Content Manager OnDemand FixPacks.

Other products may experience similar issues if key databases are created with the latest versions of GSKit.

More information and a solution can be found here:

https://cmod.wiki/index.php?title=IBM_Content_Manager_OnDemand_v10.5.0.7_and_GSKit_support_for_Post-Quantum_Cryptography

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR