Support AES-256 password encoding In Liberty

[Zech-Hein]

Description

Open Liberty does not currently support AES-256 password encoding. Only AES-128 byte password encoding is currently supported. Customers would like to use AES-256 for stronger password encoding.

---

Documents

When available, add links to required feature documents. Use "N/A" to mark particular documents which are not required by the feature.

• Externally raised requests for enhancements:

  • Aha: https://cloud-platform.ideas.ibm.com/ideas/LIBERTY-I-123
  • Feature owner adds label Aha idea
  • Open Liberty Feature Request: Link to the OL GH issue (also add a link to this issue in the Feature Request GH issue)
  • Feature owner adds label Requested feature

• UFO: https://ibm.box.com/s/52o7fj5venrvubwiabktnbtfltwnw00r

• FTS: https://github.com/OpenLiberty/open-liberty/issues/30048

• Beta Blog(s): https://github.com/OpenLiberty/open-liberty/issues/30261

• GA Blog: Link to GA Blog Post GH Issue

• ---

  Process Overview

• Prioritization

• Design

• Implementation

• Legal and Translation

• Beta

• GA

  • Focal Point Approvals

• Other Deliverables

General Instructions

The process steps occur roughly in the order as presented. Process steps occasionally overlap.

Each process step has a number of tasks which must be completed or must be marked as not applicable ("N/A").

Unless otherwise indicated, the tasks are the responsibility of the feature owner or a delegate of the feature owner.

If you need assistance, reach out to the OpenLiberty/release-architect.

Important: Labels are used to trigger particular steps and must be added as indicated.

---

Prioritization (Complete Before Development Starts)

The OpenLiberty/chief-architect and area leads are responsible for prioritizing the features and determining which features are being actively worked on.

Prioritization

• [x] Feature owner adds label Prioritization - Requested

  • This puts the feature on the radar of the OpenLiberty/chief-architect and OpenLiberty/project-manager. They are responsible for querying for new features that need to be prioritized.

• [x] OpenLiberty/project-manager adds feature to the "New" column of the Open Liberty project board

• [x] Priority assigned

  • Attend the Liberty Backlog Prioritization meeting
  • Prioritization - Requested label removed (OpenLiberty/project-manager or feature owner)

• ---

  Design (Complete Before Development Starts)

Design preliminaries determine whether a formal design, which will be provided by an Upcoming Feature Overview (UFO) document, must be created and reviewed. A formal design is required if the feature requires any of the following: UI, Serviceability, SVT, Performance testing, or non-trivial documentation/ID. Furthermore, each identified item places a blocking requirement on another team so it must be identified early in the process. The feature owner may check-off the item if they know it doesn't apply, but otherwise they should work with the focal point to determine what work, if any, will be necessary and make them aware of it.

Design Preliminaries

• [x] UI requirements identified, or N/A. (Feature owner and UI focal point)
• [x] Accessibility requirements identified, or N/A. (Feature owner and Accessibility focal point)
• [x] ID requirements identified, or N/A. (Feature owner and ID focal point)
  • Refer to Documenting Open Liberty.
  • Feature owner adds label ID Required, if non-trivial documentation needs to be created by the ID team.
  • ID adds label ID Required - Trivial, if no design will be performed and only trivial ID updates are needed.
• [x] Serviceability requirements identified, or N/A. (Feature owner and Serviceability focal point)
• [x] SVT requirements identified, or N/A. (Feature owner and SVT focal point)
• [x] Performance testing requirements identified, or N/A. (Feature owner and Performance focal point)

Design

• [x] POC Design / UFO review requested.
  • Feature owner adds label Design Review Request
• [x] POC Design / UFO review scheduled.
  • Follow the instructions in POC-Forum repo
• [x] POC Design / UFO review completed.
• [x] POC / UFO Review follow-ons completed.
• [x] POC Design / UFO approval requested.
  • Feature owner adds label Design Approval Request
• [x] Design / UFO approved. (OpenLiberty/chief-architect) or N/A
  • (OpenLiberty/chief-architect) adds label Design Approved
  • Add the public link to the UFO in Box to the Documents section.
  • The UFO must always accurately reflect the final implementation of the feature. Any changes must be first approved. Afterwards, update the UFO by creating a copy of the original approved slide(s) at the end of the deck and prepend "OLD" to the title(s). A single updated copy of the slide(s) should take the original's place, and have its title(s) prepended with "UPDATED".

No Design - NA

• NA - No Design requested.
  • Feature owner adds label No Design Approval Request
• NA - No Design / No UFO approved. (OpenLiberty/chief-architect) or N/A
  • Approver adds label No Design Approved
• NA - Feature / Capability stabilization or discontinuation or N/A
  • Feature owner adds label Product Management Approval Request and notifies OpenLiberty/product-management
  • Approver adds label Product Management Approved (OpenLiberty/product-management)
  • Note: For stabilized, superseded, and discontinued feature/capability, skip the Beta section of the template (you may delete it). Otherwise, proceed as normal.

FAT Documentation

• [x] "Feature Test Summary" child task created

  • Use the Feature Test Summary Template
  • Add FTS issue link to the Documents section.

• ---

  Implementation

A feature must be prioritized before any implementation work may begin to be delivered (inaccessible/no-ship). However, a design focused approach should still be applied to features, and developers should think about the feature design prior to writing and delivering any code.
Besides being prioritized, a feature must also be socialized (or No Design Approved) before any beta code may be delivered. All new Liberty content must be inaccessible in our GA releases until it is Feature Complete by either marking it kind=noship or beta fencing it.
Code may not GA until this feature has obtained the Design Approved or No Design Approved label, along with all other tasks outlined in the GA section.

Feature Development Begins

• [x] Add the In Progress label

Legal and Translation

In order to avoid last minute blockers and significant disruptions to the feature, the legal items need to be done as early in the feature process as possible, either in design or as early into the development as possible. Similarly, translation is to be done concurrently with development. All items below MUST be completed before beta & GA is requested.

Innovation (Complete 1 week before Beta & GA Feature Complete Date)

• [x] Consider whether any aspects of the feature may be patentable. If any identified, disclosures have been submitted.

Legal (Complete before Beta & GA Feature Complete Date)

• [x] N/A -Changed or new open source libraries are cleared and approved, or N/A. (Legal Release Services/Cass Tucker/Release PM).

Translation (Complete by Beta & GA Feature Complete Date)

• [x] N/A - PII (Program Integrated Information) updates are merged (i.e. all English strings due for translation have been delivered), or N/A.

• ---

  Beta

In order to facilitate early feedback from users, all new features and functionality should first be released as part of a beta release.

Beta Code

• [x] Beta fence the functionality
  • E.g. kind=beta, ibm:beta, ProductInfo.getBetaEdition()
• [x] Beta development complete and feature ready for inclusion in a beta release
  • Add label target:beta and the appropriate target:YY00X-beta (where YY00X is the targeted beta version) to the feature issue.
  • Note: This is expected to be done only once, for the initial beta that includes this feature. You do not need to add a target:YY00(X+1)-beta, target:YY00(X+2)-beta, etc. label for each additional beta that includes this feature.
• [ ] Feature delivered into beta
  • (OpenLiberty/release-manager) adds label release:YY00X-beta (where YY00X is the first beta version that included the functionality).

Beta Blog (Complete by beta eGA)

• [x] Beta blog issue created and populated using the Open Liberty BETA blog post template.

  • Add a link to the beta blog issue in the Documents section.
  • Note: This is for inclusion into the overall beta release blog post. If, in addition, you'd also like to create a dedicated blog post about your feature, then follow the "Standalone Feature Blog Post" instructions under the Other Deliverables section.
  • A feature may have multiple beta blogs associated with it. This is especially useful for features that are continuously adding functionality each release and want to advertise what is new since the previous beta.
  • Each beta blog issue should have the appropriate target:YY00X-beta label added to it.
  • Include each beta blog issue in the Documents section.

• ---

  GA

A feature is ready to GA after it is Feature Complete and has obtained all necessary Focal Point Approvals.

Feature Complete

• [ ] Feature implementation and tests completed.
  • [ ] All PRs are merged.
  • [ ] All related/child issues are closed.
  • [ ] All stop ship issues are completed.
• [ ] Legal: all necessary approvals granted.
• [ ] Innovation: IP identified and any applicable disclosures submitted
• [x] Translation: Feature may only proceed to GA if it has either Translation - Not Required, Translation - Complete, or Translation - Missing label
  • If the feature does not have anything that required translation, the feature owner adds the label Translation - Not Required.
  • If all translation has been delivered to release branch, feature owner adds label Translation - Complete.
  • If missing translation does not cause a break in functionality, nor a security or production outage risk, feature owner adds label Translation - Missing.
  • Once all missing translations are delivered, the Translation - Missing label is replaced with Translation - Complete.
  • If missing translation could cause a break in functionality or a security or production outage risk, feature owner adds the Translation - Blocked label.
  • Features with Translation - Blocked may NOT proceed to GA until the label has been replaced with either Translation - Missing or Translation - Complete.
  • For further guidance, contact Globalization focal point or the Release Architect.
• [ ] GA development complete and feature ready for inclusion in a GA release
  • Add label target:ga and the appropriate target:YY00X (where YY00X is the targeted GA version).
  • Inclusion in a release requires the completion of all Focal Point Approvals.

Focal Point Approvals (Complete by Feature Complete Date)

These occur only after GA of this feature is requested (by adding a target:ga label). GA of this feature may not occur until all approvals are obtained.

All Features

• [ ] APIs/Externals - Externals have been reviewed or N/A. (OpenLiberty/externals-approvers)
  • Approver adds label focalApproved:externals
• [ ] Demo - Demo is scheduled for an upcoming EOI or N/A. (OpenLiberty/demo-approvers)
  • Add comment @OpenLiberty/demo-approvers Demo scheduled for EOI [Iteration Number] to this issue.
  • Approver adds label focalApproved:demo.
• [ ] FAT - All Tests complete and running successfully in SOE or N/A. (OpenLiberty/fat-approvers)
  • Approver adds label focalApproved:fat.

Design Approved Features

• [ ] ID - Documentation is complete or N/A. (OpenLiberty/id-approvers)
  • Approver adds label focalApproved:id.

  • NOTE: If only trivial documentation changes are required, you may reach out to the ID Feature Focal to request a ID Required - Trivial label. Unlike features with regular ID requirement, those with ID Required - Trivial label do not have a hard requirement for a Design/UFO.

• [ ] InstantOn - InstantOn capable or N/A. (OpenLiberty/instantOn-approvers)
  • Approver adds label focalApproved:instantOn.
• [ ] Performance - Performance testing is complete or N/A. (OpenLiberty/performance-approvers)
  • Approver adds label focalApproved:performance.
• [ ] Serviceability - Serviceability has been addressed or N/A. (OpenLiberty/serviceability-approvers)
  • Approver adds label focalApproved:sve.
• [ ] STE - Skills Transfer Education chart deck is complete or N/A. (OpenLiberty/ste-approvers)
  • Approver adds label focalApproved:ste.
• [ ] SVT - System Verification Test is complete or N/A. (OpenLiberty/svt-approvers)
  • Approver adds label focalApproved:svt.

Remove Beta Fencing (Complete by Feature Complete Date)

• [ ] Beta guards are removed, or N/A
  • Only after all necessary Focal Point Approvals have been granted.

GA Blog (Complete by Friday after GM)

• [ ] GA Blog issue created and populated using the Open Liberty GA release blog post template.
  • Add a link to the GA Blog issue in the Documents section.
  • Note: This is for inclusion into the overall release blog post. If, in addition, you'd also like to create a dedicated blog post about your feature, then follow the "Standalone Feature Blog Post" instructions under the Other Deliverables section.

Post GM (Complete before GA)

• [ ] After confirming this feature has been included in the GM driver, feature owner closes this issue.

Post GA

• [ ] Remove the target:ga and target:YY00X labels, and add the appropriate release:YY00X. (OpenLiberty/release-manager)

• ---

  Other Deliverables

• [ ] Standalone Feature Blog Post - A blog post specifically about your feature or N/A. (Feature owner and OpenLiberty/release-architect)

  • This should be strongly considered for larger or more prominent features.
  • Follow instructions in the blogs repo.

• [ ] OL Guides - OL Guides assessment is complete or N/A. (OpenLiberty/guide-assessment)

• [ ] Dev Experience - Developer Experience & Tools work is complete or N/A. (OpenLiberty/dev-experience-assessment)

• ---

[yasmin-aumeeruddy]

Slide 4. Question: Are we looking to extend support for other attributes? Answer: Yes there are issues currently open.

Slide 12: Question: Are you referring to the performance of encryption or decryption? Answer: Both encryption and decryption. The part that matters for the Liberty server is the decrypting which happens one time at server start up or if you have a configuration update with the password.

This AES prefix, it's the same for both? Do you differenciate with the length? The diffenciation for the string is from the actual value of the string when you decode it into a byte array. The first byte's value is a 0 for AESv0 but the new version will have a 1.

Question: Are the terms AESv0 AESv1 for internal use or external use? Answer That is internal use. It's not even shown in the documentation

Slide 13 : Question: Are you leaving a backdoor to carry on allowing us to encrypt using AES-128.
Answer: We do not plan on providing this. If needed, older versions of Liberty can be used.

Question: Will 256 be adequate to meet current standards? Answer: Yes, even 128 is adequate but no one has expressed interest in 128.

Slide 18: Question: When you use securityUtility in code, we have -key that is not the actual key value. It may be confusing. Answer: The parameter is just the string for the password used to derive the key value.

Question: It might introduce confusion where the user may update to the latest version of Liberty and run the same command with the same key but get a different value. It is unlikely that a customer would care about this. Answer: Even if a customer would run the same password with the 128, they would get a different bytes anyway.

Question: Is this all transparant to the users? Answer: Yes, it will be transparant. A lot of customers have been asking about this. They would also notice that when they run the same commands, the actual values are longer.

Question: Is there a flow outside of our runtime, via the API or utility where these AES strings are encoded or decoded? Answer: There are no developer toolings that would have its own way of doing this without calling these APIs. It may be worth checking this with the developer teams though.

Notes: Missing -- before key Missing quotations around the API decryption example value.

Slide 22: Concern - There was a time when the jvm wouldn't allow certain security algorithms before checkpoint. We put a restore hook into authDataImplementation to delay the decryption for the auth data at restore. This may be okay for auth data. However, if it is called after checkpint they may get an NoSuchFound algorithm exception. We are unsure if 128/256 decryption has been tested for checkpoint. We need to check that.

Slide 28: Concern- The impact on Paris needs considering: Encrypted values in files and secrets are mounted into the Liberty pod as it starts. The Liberty instance that runs the customer's instance is not the same. The versions may not align and AES-128 may be used with the customer's instance but not supported by the Liberty instance. We need to ensure that the version of Liberty that runs the rest api feature is consistent for Paris.

Slide 29: Question: Why are we comparing the 256 with 512? Answer: For AESv1, we are planning to use the PBKDF2WithHmacSHA512 algorithm.

Question? Does the number of encypted passwords matter?
Answer: No it doesn't matter. There is a one time cost.

Question: Is it the same cost with decryption? Answer: Yes. The cost comes from getting the algorithm implementation loaded.

Slide 30: Note: It would be worth noting the Paris concerns here (See above)

[Zech-Hein]

UFO Review changes slide 18: I fixed the --key slide 30: I added the Paris concern about liberty versions being different

[Zech-Hein]

Beta PR: https://github.com/OpenLiberty/open-liberty/pull/30049

[NottyCode]

Slide 12: Question: Are you referring to the performance of encryption or decryption? Answer: Both encryption and decryption. The part that matters for the Liberty server is the decrypting which happens one time at server start up or if you have a configuration update with the password.

This isn't correct. We only generate the encryption key once on startup, but how often the password is decrypted will depend on how the runtime that consumes that password. Best practice would be to keep it encrypted except when the decrypted form is needed. However we do not enforce it. The ConfigAdmin version will always be encrypted and the consumer of that has to decrypt, so it depends on how often the consumer goes back to the string in ConfigAdmin.

Slide 22: Concern - There was a time when the jvm wouldn't allow certain security algorithms before checkpoint. We put a restore hook into authDataImplementation to delay the decryption for the auth data at restore. This may be okay for auth data. However, if it is called after checkpint they may get an NoSuchFound algorithm exception. We are unsure if 128/256 decryption has been tested for checkpoint. We need to check that.

This says we need to check this, but I do not see it being addressed in the comment or the UFO.

Slide 28: Concern- The impact on Paris needs considering: Encrypted values in files and secrets are mounted into the Liberty pod as it starts. The Liberty instance that runs the customer's instance is not the same. The versions may not align and AES-128 may be used with the customer's instance but not supported by the Liberty instance. We need to ensure that the version of Liberty that runs the rest api feature is consistent for Paris.

I do not follow this. We are not removing support for AES-128 so if a customer has AES-128 encrypted passwords they would be correctly decrypted by Liberty. Perhaps there is impact on whatever Paris is where it would want to use AES-256, but that would just require Paris to update to a newer Liberty.

Question? Does the number of encypted passwords matter? Answer: No it doesn't matter. There is a one time cost.

This is not correct. It is a one time cost to generate the encryption key, but not to decrypt passwords. If you have 1 encrypted password it'll be faster than 100.

[Zech-Hein]

Slide 12: Question: Are you referring to the performance of encryption or decryption? Answer: Both encryption and decryption. The part that matters for the Liberty server is the decrypting which happens one time at server start up or if you have a configuration update with the password.

This isn't correct. We only generate the encryption key once on startup, but how often the password is decrypted will depend on how the runtime that consumes that password. Best practice would be to keep it encrypted except when the decrypted form is needed. However we do not enforce it. The ConfigAdmin version will always be encrypted and the consumer of that has to decrypt, so it depends on how often the consumer goes back to the string in ConfigAdmin.

Good point, that is an important distinction to make. I will update slide 29: Performance - The encryption key is derived one-time at startup. Frequency of password decryption will depend on the runtime.

Slide 22: Concern - There was a time when the jvm wouldn't allow certain security algorithms before checkpoint. We put a restore hook into authDataImplementation to delay the decryption for the auth data at restore. This may be okay for auth data. However, if it is called after checkpint they may get an NoSuchFound algorithm exception. We are unsure if 128/256 decryption has been tested for checkpoint. We need to check that.

This says we need to check this, but I do not see it being addressed in the comment or the UFO.

I circled back on this with Tom W. I will update slide 22 with some actions he requested:

1. Add to the existing instantOn password utilities tests to use the new AES-256 format (V1)
2. Confirm the following: most likely com.ibm.websphere.crypto.PasswordUtil.passwordDecode(String) calls already fail before checkpoint because the JVM doesn't enable the algorithms before checkpoint

   Slide 28: Concern- The impact on Paris needs considering: Encrypted values in files and secrets are mounted into the Liberty pod as it starts. The Liberty instance that runs the customer's instance is not the same. The versions may not align and AES-128 may be used with the customer's instance but not supported by the Liberty instance. We need to ensure that the version of Liberty that runs the rest api feature is consistent for Paris.

I do not follow this. We are not removing support for AES-128 so if a customer has AES-128 encrypted passwords they would be correctly decrypted by Liberty. Perhaps there is impact on whatever Paris is where it would want to use AES-256, but that would just require Paris to update to a newer Liberty.

This is no longer a concern, I will remove it.

Question? Does the number of encypted passwords matter? Answer: No it doesn't matter. There is a one time cost.

This is not correct. It is a one time cost to generate the encryption key, but not to decrypt passwords. If you have 1 encrypted password it'll be faster than 100.

That is true. It is important to note the performance cost of decrypting the passwords is much less than the cost of deriving the AES key itself but there is still a cost. From a few tests locally, it is roughly 2 orders of magnitude less (x0.01). The actual decryption of each password took around 1ms or less. Whereas the AES key derivation took around ~400ms. This was from running on my laptop.

[Zech-Hein]

Thank you for your feedback @NottyCode! I have responded in my comment above

[NottyCode]

@Zech-Hein thanks

[Zech-Hein]

FAT test updates: https://github.com/OpenLiberty/open-liberty/pull/30259

[Zech-Hein]

@OpenLiberty/demo-approvers Demo scheduled for EOI 24.24

UPDATE: Demo Completed - 11/26/2024