How to change the default PQ KEX algorithm of OQS-chromium? about oqs-demos HOT 9 CLOSED

You have hit on a shortcoming of OQS-chromium: No-one got around to implementing #52. If you need this feature and would have time to do this, we'd be very glad to receive a PR for this.

Presently the only way to set the acceptable client algorithms is to build the boringssl client (OQS-chromium) with the desired (set of) acceptable client algorithm(s) "baked in". This should be possible by changing the kDefaultGroups array as desired.

from oqs-demos.

Unfortunately I'm more like a researcher than a developer. Not really good at programming.

In my view, a good researcher (still consider myself one) shouldn't shy back from understanding others' code to give it new capabilities (call it "source code archaeology" and it's a scientific undertaking :-)

Does this mean once I built the chromium I can no longer change it anymore?

Yes. Thus it would be prudent to include all QSC algorithms your company servers would want to support: This is just a list: The more complete it is, the more algorithms your QSC-chromium build can support. It's only getting slightly more inefficient with an extremely long list of algorithms.

I'm guessing I probably should do this once the BoringSSL has been swapped with OQS-BoringSSL?

Yes. If you successfully built chromium all you (should) need to do is a re-build (after changing the list): The build system should take care of the rest.

from oqs-demos.

All right. But skills change over time and it'd be great if you could see this as a challenge to grow your skills on and help us resolve #52.

Sure. May I ask is there any information I can dig in to do this? I might start with researching about how to build this feature first. But no guarantee of completion cuz this task is apparently beyond my might. 😅😅

I'd then be glad to hear if this worked and we can close this issue.

Sure, I will get back to you once I've done this. Considering my testing environment, it might be next week.

from oqs-demos.

UW. Thanks for the feedback & get well soon.

from oqs-demos.

I see. Thank you for your response.

If you need this feature and would have time to do this, we'd be very glad to receive a PR for this.

Thanks for the invitation! Unfortunately I'm more like a researcher than a developer.😅 Not really good at programming. I'm doing a proof of concept project for my company which is setting an OQS enabled reverse proxy in front of all the company's servers to provide quantum safe front end connection.

Presently the only way to set the acceptable client algorithms is to build the boringssl client (OQS-chromium) with the desired (set of) acceptable client algorithm(s) "baked in". This should be possible by changing the kDefaultGroups array as desired.

Does this mean once I built the chromium I can no longer change it anymore?
Btw, may I ask when should I modify the file during the building process(like before which step)?
I'm guessing I probably should do this once the BoringSSL has been swapped with OQS-BoringSSL?

Kind regards,
Ray

from oqs-demos.

In my view, a good researcher (still consider myself one) shouldn't shy back from understanding others' code to give it new capabilities (call it "source code archaeology" and it's a scientific undertaking :-)

Totally agree. Maybe I should put it another way, I should say coding is my weakness and I'm still learning to improve it. But just consider what I am currently capable of I would say that the task is too hard for me. 😅😅

Yes. Thus it would be prudent to include all QSC algorithms your company servers would want to support: This is just a list: The more complete it is, the more algorithms your QSC-chromium build can support. It's only getting slightly more inefficient with an extremely long list of algorithms.

Yes. If you successfully built chromium all you (should) need to do is a re-build (after changing the list): The build system should take care of the rest.

I see. Thank you very much sir. This is very clear and helpful. I will rebuild it and choose a proper subset of the algorithms.

from oqs-demos.

I would say that the task is too hard for me

All right. But skills change over time and it'd be great if you could see this as a challenge to grow your skills on and help us resolve #52.

I see. Thank you very much sir. This is very clear and helpful. I will rebuild it and choose a proper subset of the algorithms.

Good to hear. I'd then be glad to hear if this worked and we can close this issue.

In any case, thanks for making us aware of some shortcomings in our documentation: We improved that accordingly.

from oqs-demos.

May I ask is there any information I can dig in to do this?

Sorry, I don't know: I didn't look into that myself. I'd start with a web search on chromium design docs and probably also use grep -r for existing command line parameters (implementation) and dig forward from there.

from oqs-demos.

I'd then be glad to hear if this worked and we can close this issue.

Sorry for the late response. In the past few days, I have been suffered from the side effects of my vaccination(AstraZeneca).

I have swapped the default algorithm into all kyber above level 3 and rebuilt the chromium.

The result was successful.

Since Chrome can connect to the server only when the server uses one of its default KEX algorithms, I used SSLOpenSSSLConfCmd in the httpd-ssl.conf file to specify which algorithm is allowed on the server side.

I chose algorithm kyber768 and kyber90s1024, the server returned the it works page.

On the other hand, I chose the algorithm kyber512, then it returned the error page cuz it's not one of the default algorithm.

Thanks again for all the help!

from oqs-demos.