IETF-123 - Testing PQC TLS protocol "X22519MLKEM768" on Open Telemetry

 Table of content:

  • What is X25519MLKEM768?
  • What is OpenTelemetry?
  • Installing Golang on Ubuntu
  • Installing OpenTelemetry on Ubuntu
  • Testing X25519MLKEM768 TLS protocol on OpenTelemetry
  • Conclusion

What is X25519MLKEM768?

X25519MLKEM768 is a recent hybrid post-quantum key exchange algorithm used in TLSv1.3. It is made of the original X25519 algorithm alongside with the post quantum ML-KEM-768 algorithm and together it makes up a more secure connection against attacks from Quantum Computers which TLS1.3 is susceptible to.

X25519MLKEM768 has been deployed by Cloudflare:



Cyberstorm.mu is the leading group in Africa to support this new key exchange in technologies like Open Telemetry and Minio.


What is Open Telemetry?

OpenTelemetry is an open-source project that provides tools, APIs, and SDKs to collect, process, and export telemetry data—such as traces, metrics, and logs—from applications and services. It helps developers and operators gain visibility into how systems are performing and interacting, making it easier to monitor, debug, and improve performance in distributed systems.


The OpenTelemetry Collector is a key component in the OpenTelemetry ecosystem that receives, processes, and exports telemetry data (traces, metrics, logs) from your applications.


Link to OpenTelemetry Collector github repository:
https://github.com/open-telemetry/opentelemetry-collector


However, our Cyberstorm.mu member Loganaden Velvindron, made a fork of this repo and has made new change to implement the support for X25519MLKEM768 for OpenTelemetry-Collector.


The link to this repo: https://github.com/cyberstormdotmu/opentelemetry-collector

Installing Golang on Ubuntu

Before working with the repository of the OpenTelemetry Collector, there is one important prerequisite. 

We need to install Golang precisely go-1.24 as it is the primary language that will be used for OpenTelemetry.

The steps are:
  1. sudo add-apt-repository ppa:longsleep/golang-backports

  2. sudo apt update

  3. Sudo apt install go-1.24
Then we can assign the path of the directory of  go-1.24 to our environment variable to use the go command directory without using the full path every time. The steps are:

  1. export PATH=$PATH:/usr/lib/go-1.24/bin 

  2. source ~/.bashrc
Now to check if all has functioned properly, type go version and the following output should be produced:




Installing OpenTelemetry on Ubuntu

Step1:

Clone the forked repository of OpenTelemetry-Collector from cyberstorm.mu:

git clone https://github.com/cyberstormdotmu/opentelemetry-collector.git





step2:

Install the required dependencies and tools for the OpenTelemetry-collector by running:

make install-tools && make otelcorecol

Note: If the bin directory was not created, you need to run go mod tidy for each directory in cmd folder in opentelemetry-collector and then you run make otelcorecol again.




Testing X25519MLKEM768 TLS protocol on OpenTelemetry

step1

Create the config.yaml file on the repo and use the following code containing the X25519MLKEM768 chosen as the curve preference:

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
        tls:
          cert_file: cert.pem
          key_file: key.pem
          curve_preferences: [X25519MLKEM768]

exporters:
  otlp:
    endpoint: otlp-destination:4317
    tls:
      cert_file: cert.pem
      key_file: key.pem
      curve_preferences: [X25519MLKEM768]

service:
  pipelines:
    traces:
      receivers: [otlp]
      exporters: [otlp]



The above code specifies TLS encryption using the OpenTelemetry Protocol(otlp) with the cert.pem and key.pem that will be generated in the following step. 

Note: The path of the cert.pem and key.pem must be specified if it is not in the same folder.


step2:

To generate the self-signed TLS certificate and a private key using OpenSSL, run the command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes




step3:

Now the config.yaml file, certificate and private key have been setup, it is time to run the service. We use ./bin/otelcorecol_linux_amd64 to run the opentelemetry-collector binary but as mentioned before we can export it to our environment path.

The full command to run is:

./bin/otelcorecol_linux_amd64 --config config.yaml

The service then starts and GRPC server starts on 4137 port on localhost.


Unfortunately in my case, a warning message like the one below was popping up at regular intervals although it did not seem to affect the process but I may be wrong on this. 

Currently as of writing this blog, I am still working on fixing this issue and any hints would be appreciated. 




step4:

Unfortunately the openssl and nmap that we have installed is not on a version that is compatible with TLS1.3 or MLKEM768.

So there was a docker image that has an openssl 3.5.1 version that supports them. So we needed to pull(install) and run the image for it but beforehand we can install docker using:

sudo snap install docker

Then to pull the docker image for the openssl v3.5.1 from alpine we use:

sudo docker pull alpine/openssl:3.5.1



First we tested this openssl using cyberstorm.mu website that actually supports TLS1.3 and X25519MLKEM768 using:

sudo docker run alpine/openssl:3.5.1 s_client -connect cyberstorm.mu:443

The result can confirm this:



Well now as it worked, we ran the openssl on localhost on port 4137 using command:

sudo docker run alpine/openssl:3.5.1 s_client -connect 10.0.2.15:4137


The result produced:





And finally we got our result we wanted. The opentelemetry-collector with Loganaden Velvindron inclusion of X25519MLKEM768 worked:




Conclusion

This was my first IETF hackathon and I was able to learn lots of things even if it was confusing at first. I would like to show my gratitude to Loganaden Velvindron for his teachings during this hackathon and also my friends who were part of the hackathon and also supporting me.

Comments

Post a Comment

Popular posts from this blog

This blog will be dedicated to my journey related to programming, Linux, open source projects and much more.  It will show my progress and various projects.
Read more

Connecting to a server using OpenSSL

Image
  What is OpenSSL? OpenSSL is an open source cryptographic tool used to secure communication over computer networks. Using the terminal we are going to connect to cyberstorm.mu which is acting as the server here, using OpenSSL from our VM which is the client. The command to be used : openssl s_client cyberstorm.mu:443 Note: s_client means we are in client mode and 443 is the port through which we are connecting to cyberstorm.mu Result from the command But what we are most interested in all of the output given is the ' Server Temp Key ' field. This field will help us identify whether this connection is using a post-quantum secure connection. As we are only focusing on the ' Server Temp Key ' field, we are going to use ' grep ' command with a pipe so we can search that field from the given output. The command to be used :  openssl s_client cyberstorm.mu:443 | grep 'Server Temp Key' Result from above command How to know if a connection is using a post-quant...
Read more

Understanding GITHUB

Image
Understanding GITHUB What is GitHub? GitHub is made up of two main aspects.  It is a cloud storage for your repositories and it is built upon on and integrated with Git so it is a fantastic tool for Version Control. It is a web based platform built for collaboration with others, whether it is a group of colleagues in a small team in a company or a group of strangers spread across the world. We will focus mainly on GitHub in this blog and keep Git as a future topic to be discussed. CREATING A REPOSITORY Creating a repository named Test_template Here I am creating a new repository on GitHub with the option of Public sharing meaning anyone can try to collaborate with me on this repo whereas private option is usually for personal work not meant to  be shared or a project developed by a small team in a company.  You see a 'Add a README file' option turned on. What is a README file? It is basically the first thing that pops up when someone clicks on the repo. It is a markdown (...
Read more