Skip to content

Recommend ssha256 cache hasher in FIPS docs #87255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Jul 22, 2022
Merged

Recommend ssha256 cache hasher in FIPS docs #87255

merged 17 commits into from
Jul 22, 2022

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented May 31, 2022

Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See #86740 for more context.

@n1v0lg n1v0lg added >docs General docs changes Team:Docs Meta label for docs team Team:Security Meta label for security team :Security/FIPS Running ES in FIPS 140-2 mode v8.4.0 labels May 31, 2022
@n1v0lg n1v0lg self-assigned this May 31, 2022
n1v0lg
n1v0lg commented May 31, 2022
View reviewed changes
x-pack/docs/en/security/fips-140-compliance.asciidoc Outdated
for all `cache.hash_algo` realm settings.
See <<hashing-settings>>.

You _may_ set the `cache.hash_algo` realm settings to any of the `pbkdf2` options, however you
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure we need this paragraph, and happy to remove it if we don't think it adds value. Essentially, pbkdf2 is a bad idea but it's not technically wrong and if a customer decides they want to use it and that the performance hit is acceptable, they can, from a FIPS standpoint. Wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this paragraph should go along with the previous one that says about pbkdf2 not suitable for caching hashing.

@n1v0lg n1v0lg requested review from ywangd and lockewritesdocs May 31, 2022 15:23
@n1v0lg n1v0lg marked this pull request as ready for review May 31, 2022 15:23
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs (Team:Docs)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

ywangd
ywangd reviewed Jun 2, 2022
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we split the "Password Hashing" section into two sub-sections, stored password and in-memory password. Or maybe just add one subsection for in-memory password. This will make it easier to directly link to the relevant texts about cache hashing.

x-pack/docs/en/security/fips-140-compliance.asciidoc Outdated
for all `cache.hash_algo` realm settings.
See <<hashing-settings>>.

You _may_ set the `cache.hash_algo` realm settings to any of the `pbkdf2` options, however you
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this paragraph should go along with the previous one that says about pbkdf2 not suitable for caching hashing.

n1v0lg
n1v0lg commented Jun 2, 2022
View reviewed changes
x-pack/docs/en/security/fips-140-compliance.asciidoc Outdated
@@ -27,8 +27,8 @@ For {es}, adherence to FIPS 140-2 is ensured by
[discrete]
=== Upgrade considerations

[IMPORTANT]
Copy link
Contributor Author

@n1v0lg n1v0lg Jun 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intellij keeps auto-formatting this. I'm assuming it's fine to drop the trailing spaces

n1v0lg
n1v0lg commented Jun 2, 2022
View reviewed changes
@n1v0lg n1v0lg requested a review from ywangd June 2, 2022 09:19
ywangd
ywangd approved these changes Jun 3, 2022
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Let's wait for @lockewritesdocs to go through the changes before merging. Thanks!

@lockewritesdocs
Copy link
Contributor

@elasticmachine run elasticsearch-ci/docs

lockewritesdocs
lockewritesdocs approved these changes Jul 21, 2022
View reviewed changes
Copy link
Contributor

@lockewritesdocs lockewritesdocs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left minor, non-blocking comments, but LGTM otherwise :shipit:

@n1v0lg n1v0lg added v7.17.6 auto-backport Automatically create backport pull requests when merged and removed v7.17.5 labels Jul 22, 2022
@n1v0lg
Copy link
Contributor Author

n1v0lg commented Jul 22, 2022

@elasticmachine run elasticsearch-ci/part-2-fips

@n1v0lg n1v0lg merged commit d6e5c29 into elastic:master Jul 22, 2022
@n1v0lg n1v0lg deleted the docs/fips-cache-hasher branch July 22, 2022 10:14
@n1v0lg n1v0lg mentioned this pull request Jul 22, 2022
Merged
n1v0lg added a commit to n1v0lg/elasticsearch that referenced this pull request Jul 22, 2022
@n1v0lg
Recommend ssha256 cache hasher in FIPS docs (elastic#87255)
975719a 
Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See elastic#86740 for more context.
@n1v0lg n1v0lg mentioned this pull request Jul 22, 2022
Merged
n1v0lg added a commit to n1v0lg/elasticsearch that referenced this pull request Jul 22, 2022
@n1v0lg
Recommend ssha256 cache hasher in FIPS docs (elastic#87255)
17d5463 
Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See elastic#86740 for more context.
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
7.17
8.3

n1v0lg added a commit that referenced this pull request Aug 1, 2022
@n1v0lg
Recommend ssha256 cache hasher in FIPS docs (#87255) (#88718)
d52d17f 
Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See #86740 for more context.
n1v0lg added a commit that referenced this pull request Aug 4, 2022
@n1v0lg
Recommend ssha256 cache hasher in FIPS docs (#87255) (#88717)
1d98eeb 
Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See #86740 for more context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

@lockewritesdocs lockewritesdocs lockewritesdocs approved these changes

Assignees

@n1v0lg n1v0lg

Labels
auto-backport Automatically create backport pull requests when merged >docs General docs changes :Security/FIPS Running ES in FIPS 140-2 mode Team:Docs Meta label for docs team Team:Security Meta label for security team v7.17.6 v8.3.3 v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@n1v0lg @elasticmachine @lockewritesdocs @elasticsearchmachine @ywangd