IETF-123 Hackathon - Testing the implementation of x25519MKLEM768 in MinIO

 x25519

It is a key-exchange that uses the Diffie-Hellman algorithm. This key-exchange uses the Curve25519 to generate secure cryptographics keys. X25519 is mainly used in Transport Layer Security (TLS) version 1.2 and 1.3 with ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). X2219 is a reliable key exchange algorithm as it has been widely tested and is supported by modern web servers. However, its main drawback is that it is not secure against attacks from quantum computers. 

 

MLKEM768

MLKEM is one of the newer algorithm used in Post-Quantum Cryptography. It was developed to overcome the main drawback of X25519. It is however not very robust as several vulnerabilities were discovered by cybersecurity researchers.

 

x25519MLKEM768

x25519MLKEM768 is a hybrid key exchange algorithm used in TLS 1.3. It combines the benefits of x2219 and MLKEM768. The use of x25519 will avoid compatibility issues and the use of MLKEM768 will resist attacks from quantum computers. Therefore, this hybrid key exchange algorithm provides a higher level of security for communications. 

 

Prerequisites

  •  Go 1.24   

 

Installing Go 1.24 (on Ubuntu)

Installing Go 1.24 is fairly straightforward and requires only a few commands as follows:

  1. sudo add-apt-repository ppa:longsleep/golang-backports
  2. sudo apt update
  3. sudo apt install golang-1.24  

 

To verify if Go was installed, we can type the following command:

        /usr/lib/go-1.24/bin/go version

After typing the above command, we should get an output as shown below:

We can now proceed with MinOI.

 

What is MinIO?

 MinIO is an open-source, cloud-native object storage system. It provides high performance, easy scalability and is lightweight.

 

Installing MinIO (on Ubuntu) 

We start by clone the required repository from the cyberstorm.mu GitHub page:

        git clone https://github.com/cyberstormdotmu/minio.git 

After cloning the repositorywe need to switch to another branch as follows:

  1. git branch -a (lists all branches)
  2. git checkout loganaden-x25519mklem768 (switches to the branch loganaden-x25519mklem768)
  3.  git log (shows the commit history)            

After switching to our desired branch, we must install the build automation tool known as make.

        sudo apt install make

Once we have intalled make, we must cd into the minio directory and simplr type the command make. This will compile the MinIO binary.

We can now run a standalone MinIO server on our Linux virtual machine using the following commands:

  1. mkdir -p ~/minio-data
  2.  wget https://dl.min.io/server/minio/release/linux-arm64/minio (downloads the MinIO binary)
  3. chmod +x minio (makes the binary executable)  

 

Starting a MinIO server which uses HTTP

We can the following command to start a server on our virtual machine. Note that the server which we will setup will use HTTP.

        ./minio server ~/minio-data

 

How to check if our server is using x25519MLKEM768?

Once our server has been launched, we can check if it is using x25519MLKEM76. One way to do this is to use a program called Network Mapper or commonly known as Nmap. To begin we must first install Nmap as follows:

        sudo apt install nmap 

We can run the following command to see if nmap was successfully installed:

        nmap --version 

Once installed, we can run the following command to display a scan report which will contain data about the ciphers being used.

        nmap -sV --script ssl-enum-ciphers -p 9000 127.0.0.1 

After running the above command, we need to search the report generated for the suppported TLS versions and the ciphers supported. The picture below shows what we are expected to see.

This is however NOT the output we wanted as there is no mention of TLS 1.3 or x25519MLKEM768.  

 

Setting up and launching a MinIO server which uses HTTPS

Firstly we must copy the minio binary to the path /usr/local/bin/ by running the folowing command:

        cp minio /usr/local/bin/

Then, we need to create a directory for our self-signed TLS/SSL certificate and our RSA private key:

        mkdir -p ~/minio/certs

After creating the directory, cd into it and run the command below to generate a self-signed TLS/SSL certificate and an RSA private key

       openssl req -x509 -newkey rsa:2048 -nodes -keyout private.key -out public.crt -              days 365

We can check if our certificate was successfully created by running the following command:

        openssl x509 -in certificate.crt -text -noout

We must then configure our MinIO server's root credentials by running the following commands:

        export MINIO_ROOT_USER=minioadmin
        export MINIO_ROOT_PASSWORD=minioadmin123

 
We can now finally launch our secured MinIO server using the following command:

        ./minio server ~/minio/data --certs-dir ~/.minio/certs --console-address ":9001"

After launching our MinIO server, we can run either of the following commands to see whether our server is using x25519MKLEM768.

        nmap -sV --script ssl-enum-ciphers -p 9001 127.0.0.1 

                                                OR

        openssl s_client -connect 127.0.0.1:9001

However, in both cases we will NOT obtain our desired output. This is because Nmap may have some compatibilty or support issues and OpenSSL was running an older version (we need version 3.5) 

 

In order to download the newer version of OpenSSL, we can the following command:

        sudo docker pull alpine/openssl:3.5.1

The above command downloads a lightweight Linux-based Docker image that has OpenSSL version 3.5.1 installed from Docker Hub. 

 

We can now run a test on cyberstorm.mu to see if OpenSSL version 3.5.1 works by running the following command:

        sudo docker run alpine/openssl:3.5.1 s_client -connect cyberstorm.mu:443 

The command yields an output that contains the following section:

We see that the website uses x25519MLKEM768 thus indicating that OpenSSL version 3.5.1 is running.

Finally, we can run the same test on our standalone MinIO server by running the following command:

       sudo docker run alpine/openssl:3.5.1 s_client -connect 192.168.37.129:9000

After running the command, we obtained the same output as previously shown. Thus we have successfully tested a standalone MinIO server that uses x25519MKLEM768

 

NOTE : We can see that we are not using the loopback address (127.0.0.1) but instead a different IP address. Here, the loopback address refers to the IP address of the Docker container itself, not our host machine. To find the local IP address of our host machine, we must look back at what was displayed when we ran the command ./minio server ~/minio/data --certs-dir ~/.minio/certs --console-address ":9001" .The output should contain a line that has our host's local IP address. In our case, the line was mc alias set 'myminio' 'https://192.168.37.129:9000' 'minioadmin' 'minioadmin'.

         

 

         

 

         

         

  

        

     

   

 

         


    

 
 
 
 

 

 

 

 

Comments

New comments are not allowed.