You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/03/18 19:58:00 UTC

[jira] [Resolved] (NIFI-7905) MergeContent should support password-protected Zip archives

     [ https://issues.apache.org/jira/browse/NIFI-7905?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Handermann resolved NIFI-7905.
------------------------------------
    Resolution: Won't Fix

The encryption options supported in Zip4J do not meet current best practices for AES encryption using AEAD.  Users interested in creating encrypted archives should evaluate other options.

> MergeContent should support password-protected Zip archives
> -----------------------------------------------------------
>
>                 Key: NIFI-7905
>                 URL: https://issues.apache.org/jira/browse/NIFI-7905
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: encryption, security, zip
>
> MergeContent should be improved to support creation of password-protected Zip files.  NIFI-7777 introduced support of decrypting password-protected Zip files using [Zip4j|http://www.lingala.net/zip4j.html] and the same library can be leveraged to support password-based encryption using either ZipCrypto Standard encryption or AES encryption.
> Following the [Zip File Format Specification|https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT] Appendix E, Zip4J supports AES-CTR with key lengths of either 128 or 256, and uses HMAC-SHA1 for PBKDF2.  [WinZip|http://www.winzip.com/aes_info.htm] describes the implementation in more detail under the heading of AE-1 and AE-2 specifications.  The Zip4j implementation also appears to limit passwords to ISO-8859-1 characters, which should be checked during property validation.
> ZipCrypto has [known security flaws|https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption], which should be at least mentioned in the property description.
> The implementation should introduce new optional properties for Encryption Password and Encryption Method, listing ZipCrypto, AES-128-CTR and AES-256-CTR as options.  The implementation should also write Flow File attributes indicating the cryptographic algorithm used.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)