Add support for AES in EncryptionService

[martynaslawinska]

jgomer2001 commented on Mar 9, 2020
Currently we support 3DES as cipher, usage will be considered disallowed after 2023.

See https://www.cryptomathic.com/news-events/blog/3des-is-officially-being-retired

According to draft guidance published by NIST on July 19, 2018, the Triple Data Encryption
Algorithm (TDEA or 3DES) is officially being retired

[smansoft]

major change.
Changing this class (EncryptionService) will affect encrypting/decrypting Ldap Password from:
/etc/jans/conf/jans-ldap.properties.

Otherwise EncryptionService and StringEncrypter are internal parts of the project and they can be used in such ways for encrypting various strings, not only for Encrypting Ldap Password.

There are some ways for implementing AES support, including solving Symmetric Key:

1. we can use standard PBKDF2 and correspondent implementing in Java and Python for generating keys.
   in this case we need to save

• salt
• user friendly (or random) password
• iv
  in the file:
  /etc/jans/conf/salt
  salt and user friendly (or random) password will be used for generating symmetric key.
  StringEncrypter will receive: salt, user friendly (or random) password, iv (initial vector).
  Using implementing of PBKDF2, that use user friendly (or random) password and salt, key will be solved.
  Then this key and iv will be used for encrypting.
  In this case we will need add usage PBKDF2 and AES in python code (jans-setup).

2. We can solve random salt (necessary length - 128/192/256 bits) and generate random iv and then save it into /etc/jans/conf/salt. During using AES we just receive salt and use it as symmetric key. iv is used as initial vector.

3. Also we can save parameters, which define salt for every mode and key length:
   salt:alg:mode:lenght=salt
   passw:alg:mode:lenght=passw
   iv:alg:mode:lenght=iv

The main discussion questions:

• should we use passw and salt (in this case we will use PBKDF2) or just salt (in this case salt is a key for AES)?

[yurem]

I think we need to replace deprecated 3DS with AES. We use this service to protect passwords in configuration files. We don't use it to protect data which we send over network. Hence this approach should be simple to allow implement it in Python/JS too.

[nynymike]

I think @yurem is advocating for salt. If AES is sufficient today, let's keep it simple.

[smansoft]

@shmorri

Why this Issue has status "To Be Assigned" ?

It's implemented but not merged yet:
https://github.com/JanssenProject/jans-auth-server/pull/265
and
https://github.com/JanssenProject/jans-setup/pull/74
.

[smansoft]

@shmorri
I've changed the status.
Thanks.