Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-26310

rhos-conplat-core-operators - RHOSO PQC Cryptography Analysis

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • openstack-operator
    • None
    • rhos-conplat-core-operators - RHOSO PQC Cryptography Analysis
    • False
    • Hide

      None

      Show
      None
    • False
    • RHOSSTRAT-977Cryptographic use in OpenStack - assessing the crypto libraries to support PQC
    • Not Selected
    • ?
    • ?
    • To Do
    • ?
    • rhos-conplat-core-operators
    • ?

      Objective: Perform a deep-dive analysis of the Component Name codebase to identify cryptographic operations (TLS, encryption, signing, key management) requiring updates for quantum-safe algorithms (ML-KEM/ML-DSA).

      Scope of Analysis:

      • Go-based services: Map dependencies against OCP 4.20/4.22+ crypto libraries.
      • Python/Dataplane: Assess RHEL 9.7+/10.1+ PQC compatibility.
      • TLS 1.3: Confirm the service can run without TLS 1.2 hardcoding.
      • Cryptographic modules: list all cryptographic modules used in the Component Name codebase (separating test code from product code), with their current/planned PQC support (if information exists).

      Timebox: If the analysis reveals high complexity, a follow-up implementation Jira should be created which should be a RHOSO 19 Beta target (likely TBD-PO).

      Acceptance Criteria

      • Categorized Crypto Inventory: All cryptographic calls (signing, hashing, encryption) within Component Name are identified and categorized as Symmetric or Asymmetric.
      • Legacy Mapping: A map exists of all current RSA/ECDSA/ECC usage that requires replacement or supplementation by ML-KEM or ML-DSA.
      • TLS 1.3 Verification: Confirmed that Component Name communication logic has no hardcoded dependencies on TLS 1.2.
        All cryptographic modules: The codebase has been scanned for all cryptographic modules and the status of PQC support for each used module is provided. If a module is unused, deprecation should be planned.
      • AI-Driven Audit: The codebase has been scanned using AI analysis, and "false positives" have been filtered out.
        Bottleneck Identification: Documented any component-specific performance concerns (e.g., increased latency due to PQC key sizes)

      Definition of Done

      • Documentation: Findings are logged in the central PQC Support Tracking Doc.
      • Actionability: Follow-up Implementation Jiras are created for any required code changes and linked to this spike.
      • Risk Log: Any risks (e.g., performance hits in Keystone) are added to the component risk assessment.
      • Peer Review: Findings have been reviewed and signed off by the Security DFG.

      Follow the PQC Program Status dashboard to check any duplication of common-library or some work already in progress.

              Unassigned Unassigned
              shrjoshi@redhat.com Shreshtha Joshi
              rhos-conplat-core-operators
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: