Skip to content

[SECURITY] Upgrade session ticket cipher from DES to AES-256-GCM#5460

Open
aiceflower wants to merge 4 commits into
apache:masterfrom
aiceflower:fix-upgrade-ticket-cipher-des-to-aes-gcm
Open

[SECURITY] Upgrade session ticket cipher from DES to AES-256-GCM#5460
aiceflower wants to merge 4 commits into
apache:masterfrom
aiceflower:fix-upgrade-ticket-cipher-des-to-aes-gcm

Conversation

@aiceflower

Copy link
Copy Markdown
Member

Summary

Replace the legacy DES-based session ticket encryption with AES-256-GCM (AEAD). Solves DES 56-bit weak cipher and the lack of integrity/anti-tamper protection in one change.

Changes

New TicketCipher class

  • AES-256-GCM (NoPadding) — confidentiality + integrity (GCM AEAD)
  • PBKDF2WithHmacSHA256 key derivation — deterministic across JVM vendors (unlike SHA1PRNG in AESUtils)
  • Auto-detects V2 (GCM) vs legacy V1 (DES) on decrypt — backward compatible
  • V2 enabled/disabled via constructor toggle

Config switch

  • linkis.ticket.cipher.v2.enabled=true (default) — new tickets issued in AES-GCM format
  • Set to false to fall back to legacy DES if downstream systems have not yet upgraded
  • Decryption always auto-detects both formats regardless of switch state

Callers switched

  • ServerConfiguration.getUsernameByTicket / getTicketByUsername
  • ProxyUserSSOUtils proxy ticket encryption/decryption

Affected files

  • linkis-commons/linkis-common/.../TicketCipher.java (new, 147 lines)
  • linkis-commons/linkis-module/.../ServerConfiguration.scala (+58/-9)
  • linkis-commons/linkis-module/.../ProxyUserSSOUtils.scala (1 file, +4/-4)

Rollback

Set linkis.ticket.cipher.v2.enabled=false to revert to DES for new tickets. Existing V2 tickets continue to be accepted on decrypt regardless.

Deployment impact

Scenario Impact
Default (V2 on) New tickets in GCM; old DES tickets still accepted
Rollback (V2 off) New tickets in DES; existing V2 tickets still accepted
Mixed-version cluster All instances must be on this PR or later for V2 to work

🤖 Generated with Claude Code

… add startup validation with escape hatch

- Change default cryptKey from 'bdp-for-server' to empty string
- Add startup validation: empty / legacy default / short keys cause fail-closed BDPInitServerException
- Add escape hatch: linkis.crypt.key.allow.insecure=true (default false, logs ERROR banner)
…256-GCM with config toggle

- New TicketCipher class: AES-256-GCM (NoPadding) via PBKDF2WithHmacSHA256 key derivation
- GCM AEAD provides confidentiality + integrity in one pass, solving DES weak cipher
  and lack of anti-tamper protection
- Config toggle: linkis.ticket.cipher.v2.enabled=true (default, uses AES-GCM for new tickets)
  Set to false to revert to legacy DES for new tickets without losing V2 decrypt capability
- ServerConfiguration.getUsernameByTicket/getTicketByUsername switched to TicketCipher
- ProxyUserSSOUtils proxy ticket operations switched to TicketCipher
- Existing AESUtils class NOT modified (separate use case for datasource passwords)
@aiceflower
aiceflower force-pushed the fix-upgrade-ticket-cipher-des-to-aes-gcm branch from 28d0946 to 45c669c Compare July 16, 2026 03:53
- 17 tests: V2 AES-GCM encrypt/decrypt round-trip, deterministic key derivation,
  random IV, tampering detection (AEADBadTagException), blank input handling
- V1 legacy DES compat: encrypt/decrypt, deterministic output
- Cross-version: V2 decrypts V1 tickets, V1 decrypts V2 tickets
- Unicode and long plaintext coverage
casionone
casionone previously approved these changes Jul 17, 2026

@casionone casionone left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants