You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/03/01 17:32:00 UTC
[jira] [Commented] (NIFI-8246) Set Default Sensitive Properties
Algorithm with Improved KDF and Encryption
[ https://issues.apache.org/jira/browse/NIFI-8246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293047#comment-17293047 ]
David Handermann commented on NIFI-8246:
----------------------------------------
Sensitive Properties Algorithms with Secure Key Derivation Functions require a password with a minimum of 12 characters. Changes in NIFI-8230 for a longer random key are required prior to change the default algorithm.
> Set Default Sensitive Properties Algorithm with Improved KDF and Encryption
> ---------------------------------------------------------------------------
>
> Key: NIFI-8246
> URL: https://issues.apache.org/jira/browse/NIFI-8246
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Security
> Affects Versions: 1.13.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
>
> The default Sensitive Properties Algorithm specified using {{nifi.sensitive.properties.algorithm}} in {{nifi.properties}} has been {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}} since early release versions. This default value relies on the {{NiFiLegacyCipherProvider}}, which is deprecated. The {{NiFiLegacyCipherProvider}} uses the MD5 hash algorithm with 1000 iterations and a random salt. This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.
> Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode. NIFI-7668 introduces support for additional secure hashing algorithms along with support for AES-GCM. One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)