Replace AES-ECB with AES-GCM
Proposers
- Guillermo Calviño (Canonical)
- Gulsum Atici (Canonical)
- Mark Beierl (Canonical)
- Patricia Reinoso (Canonical)
Description
OSM uses AES-ECB mode (default) as encryption mode which is not semantically secure.
This feature is proposing to replace AES-ECB with AES-GCM which is one of the authenticated ciphers in TLS 1.3 (draft). By selecting AES-GCM authenticated encryption is done and data integrity is assured. Backward compatibility is considered during the the implementation.
Demo or definition of done
- Create a new network service including NFs configured with charms
- NS status should be active
- In MongoDB database, ro_nsrs collection, the record which belongs to created NS includes the nonce, authentication tag, public and private key.
This work is considered done when all the implementations, tests and documentation is contributed to use AES-GCM.