-
Notifications
You must be signed in to change notification settings - Fork 604
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support AES-256 password encoding In Liberty #29659
Comments
Slide 4. Slide 12: This AES prefix, it's the same for both? Do you differenciate with the length? Question: Are the terms AESv0 AESv1 for internal use or external use? Slide 13 : Question: Will 256 be adequate to meet current standards? Slide 18: Question: It might introduce confusion where the user may update to the latest version of Liberty and run the same command with the same key but get a different value. It is unlikely that a customer would care about this. Question: Is this all transparant to the users? Question: Is there a flow outside of our runtime, via the API or utility where these AES strings are encoded or decoded? Notes: Slide 22: Slide 28: Slide 29: Question? Does the number of encypted passwords matter? Question: Is it the same cost with decryption? Slide 30: |
UFO Review changes |
Beta PR: #30049 |
This isn't correct. We only generate the encryption key once on startup, but how often the password is decrypted will depend on how the runtime that consumes that password. Best practice would be to keep it encrypted except when the decrypted form is needed. However we do not enforce it. The ConfigAdmin version will always be encrypted and the consumer of that has to decrypt, so it depends on how often the consumer goes back to the string in ConfigAdmin.
This says we need to check this, but I do not see it being addressed in the comment or the UFO.
I do not follow this. We are not removing support for AES-128 so if a customer has AES-128 encrypted passwords they would be correctly decrypted by Liberty. Perhaps there is impact on whatever Paris is where it would want to use AES-256, but that would just require Paris to update to a newer Liberty.
This is not correct. It is a one time cost to generate the encryption key, but not to decrypt passwords. If you have 1 encrypted password it'll be faster than 100. |
Good point, that is an important distinction to make. I will update slide 29: Performance - The encryption key is derived one-time at startup. Frequency of password decryption will depend on the runtime.
I circled back on this with Tom W. I will update slide 22 with some actions he requested:
This is no longer a concern, I will remove it.
That is true. It is important to note the performance cost of decrypting the passwords is much less than the cost of deriving the AES key itself but there is still a cost. From a few tests locally, it is roughly 2 orders of magnitude less (x0.01). The actual decryption of each password took around 1ms or less. Whereas the AES key derivation took around ~400ms. This was from running on my laptop. |
Thank you for your feedback @NottyCode! I have responded in my comment above |
@Zech-Hein thanks |
FAT test updates: #30259 |
…PasswordDecodingException failure Co-authored-by: Malhar Shah <[email protected]>
@OpenLiberty/demo-approvers Demo scheduled for EOI 24.24 UPDATE: Demo Completed - 11/26/2024 |
Serviceability Approval Comment - Please answer the following questions for serviceability approval:
|
The documentation is done: OpenLiberty/docs#7651 Approving this epic. |
InstantOn checkpoint passwordUtil test updated for aes256 |
Description
Open Liberty does not currently support AES-256 password encoding. Only AES-128 byte password encoding is currently supported. Customers would like to use AES-256 for stronger password encoding.
Documents
When available, add links to required feature documents. Use "N/A" to mark particular documents which are not required by the feature.
Aha idea
Requested feature
Process Overview
General Instructions
The process steps occur roughly in the order as presented. Process steps occasionally overlap.
Each process step has a number of tasks which must be completed or must be marked as not applicable ("N/A").
Unless otherwise indicated, the tasks are the responsibility of the feature owner or a delegate of the feature owner.
If you need assistance, reach out to the OpenLiberty/release-architect.
Important: Labels are used to trigger particular steps and must be added as indicated.
Prioritization (Complete Before Development Starts)
The OpenLiberty/chief-architect and area leads are responsible for prioritizing the features and determining which features are being actively worked on.
Prioritization
Prioritization - Requested
Prioritization - Requested
label removed (OpenLiberty/project-manager or feature owner)Design (Complete Before Development Starts)
Design preliminaries determine whether a formal design, which will be provided by an Upcoming Feature Overview (UFO) document, must be created and reviewed. A formal design is required if the feature requires any of the following: UI, Serviceability, SVT, Performance testing, or non-trivial documentation/ID. Furthermore, each identified item places a blocking requirement on another team so it must be identified early in the process. The feature owner may check-off the item if they know it doesn't apply, but otherwise they should work with the focal point to determine what work, if any, will be necessary and make them aware of it.
Design Preliminaries
ID Required
, if non-trivial documentation needs to be created by the ID team.ID Required - Trivial
, if no design will be performed and only trivial ID updates are needed.Design
Design Review Request
Design Approval Request
Design Approved
No Design - NA
No Design Approval Request
No Design Approved
Product Management Approval Request
and notifies OpenLiberty/product-managementProduct Management Approved
(OpenLiberty/product-management)FAT Documentation
Implementation
A feature must be prioritized before any implementation work may begin to be delivered (inaccessible/no-ship). However, a design focused approach should still be applied to features, and developers should think about the feature design prior to writing and delivering any code.
Besides being prioritized, a feature must also be socialized (or No Design Approved) before any beta code may be delivered. All new Liberty content must be inaccessible in our GA releases until it is Feature Complete by either marking it
kind=noship
or beta fencing it.Code may not GA until this feature has obtained the
Design Approved
orNo Design Approved
label, along with all other tasks outlined in the GA section.Feature Development Begins
In Progress
labelLegal and Translation
In order to avoid last minute blockers and significant disruptions to the feature, the legal items need to be done as early in the feature process as possible, either in design or as early into the development as possible. Similarly, translation is to be done concurrently with development. All items below MUST be completed before beta & GA is requested.
Innovation (Complete 1 week before Beta & GA Feature Complete Date)
Legal (Complete before Beta & GA Feature Complete Date)
Translation (Complete by Beta & GA Feature Complete Date)
Beta
In order to facilitate early feedback from users, all new features and functionality should first be released as part of a beta release.
Beta Code
kind=beta
,ibm:beta
,ProductInfo.getBetaEdition()
target:beta
and the appropriatetarget:YY00X-beta
(where YY00X is the targeted beta version) to the feature issue.target:YY00(X+1)-beta
,target:YY00(X+2)-beta
, etc. label for each additional beta that includes this feature.release:YY00X-beta
(where YY00X is the first beta version that included the functionality).Beta Blog (Complete by beta eGA)
target:YY00X-beta
label added to it.GA
A feature is ready to GA after it is Feature Complete and has obtained all necessary Focal Point Approvals.
Feature Complete
Translation - Not Required
,Translation - Complete
, orTranslation - Missing
labelTranslation - Not Required
.release
branch, feature owner adds labelTranslation - Complete
.Translation - Missing
.Translation - Missing
label is replaced withTranslation - Complete
.Translation - Blocked
label.Translation - Blocked
may NOT proceed to GA until the label has been replaced with eitherTranslation - Missing
orTranslation - Complete
.target:ga
and the appropriatetarget:YY00X
(where YY00X is the targeted GA version).Focal Point Approvals (Complete by Feature Complete Date)
These occur only after GA of this feature is requested (by adding a
target:ga
label). GA of this feature may not occur until all approvals are obtained.All Features
focalApproved:externals
@OpenLiberty/demo-approvers Demo scheduled for EOI [Iteration Number]
to this issue.focalApproved:demo
.focalApproved:fat
.Design Approved Features
focalApproved:id
.focalApproved:instantOn
.focalApproved:performance
.focalApproved:sve
.focalApproved:ste
.focalApproved:svt
.Remove Beta Fencing (Complete by Feature Complete Date)
GA Blog (Complete by Friday after GM)
Post GM (Complete before GA)
Post GA
target:ga
andtarget:YY00X
labels, and add the appropriaterelease:YY00X
. (OpenLiberty/release-manager)Other Deliverables
The text was updated successfully, but these errors were encountered: