Testing NEW quantum-resistant TLS protocol X25519MLKEM768 for OpenTelemetry
What is OpenTelemetry?
OpenTelemetry serves as a standard for how to instrument code and send telemetry data to an Observability backend. Observability lets you understand a system from the outside by letting you ask questions about that system without knowing its inner workings. To ask those questions about your system, your application must be properly instrumented. That is, the application code must emit signals such as traces, metrics, and logs.
OpenTelemetry is the mechanism by which application code is instrumented to help make a system observable.
What is X25519MLKEM768?
X25519MLKEM768 is a hybrid key exchange mechanism that combines two cryptographic algorithms:
- X25519 – a classical elliptic curve Diffie-Hellman (ECDH) key exchange algorithm using the Curve25519 elliptic curve.
- ML-KEM-768 – a post-quantum key encapsulation mechanism (KEM) , part of the CRYSTALS-Kyber family of algorithms selected by NIST for standardization in post-quantum cryptography.
How to test the new protocol?
The test was carried out on a Windows machine running Ubuntu 24.04 LTS (WSL).
Step 1
OpenTelemetry requires Golang version 1.24 but the latest version of Go in Canonical's repository is v1.22. So, we need to install the required version from an unofficial repository.
Add the new repository and update apt
sudo add-apt-repository ppa:longsleep/golang-backports &&
sudo apt update
Step 2
Install Golang:
sudo apt install golang-1.24
Step 3
Clone the forked GitHub repository of OpenTelemetry Collector:
git clone https://github.com/cyberstormdotmu/opentelemetry-collector.git
Step 4
Navigate into the cloned repository:
cd cyberstorm/opentelemetry-collector/
Your directory should look like the following:
Step 5
Build the binary from source:
make install-tools && make otelcorecol
This creates a new folder bin containing the compiled program.
Step 6
Generate the private key and certificates for the collector:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Step 7
Create a new config.yaml file:
nano config.yaml
Add the following code and save the file (Ctrl+X followed by Y)
receivers:
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
tls:
cert_file: ./cert.pem
key_file: ./key.pem
curve_preferences: [X25519MLKEM768]
exporters:
otlp:
endpoint: otlp-destination:4317
tls:
cert_file: ./cert.pem
key_file: ./key.pem
curve_preferences: [X25519MLKEM768]
service:
pipelines:
traces:
receivers: [otlp]
exporters: [otlp]
Your text file should look something like this:
Step 7
Run the collector with the config file:
otelcol --config config.yaml
Hit Ctrl+Z to move the service to the background.
Step 7
Ubuntu 24.04 comes with OpenSSL v3.0 by default which does not support the new TLS protocol. So, we need to install the latest OpenSSL (v3.5.1 as of writing) by building from source.
First, install the required build tools:
sudo apt install build-essential checkinstall zlib1g-dev -y
Step 8
Download and extract the latest OpenSSL:
mkdir -p /tmp && cd /tmp
wget https://www.openssl.org/source/openssl-3.5.1.tar.gz
tar -xf openssl-3.5.1.tar.gz
cd openssl-3.5.1
Step 9
Configure, build and install the program:
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
make
make test
sudo make install
Step 10
Verify the installation:
openssl version
Test the TLS connection with OpenSSL:
openssl s_client -connect localhost:4317 -tls1_3 -curves X25519MLKEM768 -msg
Look for the following line in the output:
If you got a similar output, the test was successful!
Conclusion
Thanks to the efforts of CyberStorm.MU, the most widely-used telemetry collection platform now supports a post-quantum cryptographic standard, making cloud native applications safer from future digital threats.
Comments
Post a Comment