Data Encryption in NiFi using AES-GCM Hybrid or ECC

[Madhan Vishwas <ma...@gmail.com>]

Hi All,
I am using EncryptContent (with PGP) for encrypting Text File  Data.
The intent here is to implement Asymmetric Encryption for  Cross-Platform
purpose. (Encryption and Data Source is at NiFi side - while the recipient
and decryption is at .Net / C# side).

However, the organization policies mandate me to move away from PGP.

This leaves me with two approaches - one is to use hybrid approach with one
of the symmetric algorithms (AES-GCM for instance) used in combination with
RSA for encrypting / decrypting the key.

Another approach suggested is to use ECC.
However, as my understanding goes - as of now NiFi doesn't support ECC and
this will likely require custom processor implementation.

Any hint / advice on easy implementation of either approach would be hugely
appreciated.

Thanks in advance.
Cheers,
Madhan,

Re: Data Encryption in NiFi using AES-GCM Hybrid or ECC

[Madhan Vishwas <ma...@gmail.com>]

Hi David,
Thank you for your response. I am looking up and will revert back with more
details.
- Madhan,

On Tue, 1 Dec 2020 at 00:28, David Handermann <ex...@gmail.com>
wrote:

> Hi Madhan,
>
> Thanks for summarizing your use case.  EncryptContent supports a variety
> of configuration options, but it is currently limited to either
> password-based encryption or PGP-based encryption as you described.
>
> As a proof-of-concept, I recently created several custom NiFi Processors
> and Controller Services to support content encryption and decryption using
> X.509 certificates and keys.  The content format is Cryptographic Message
> Syntax (CMS), which is the format underlying S/MIME email encryption.  The
> purpose of these components is to support content encryption using standard
> public-key infrastructure certificates and keys.  The implementation
> currently supports configurable keystores in NiFi, formatted as either JKS
> or PKCS12 files.  Bouncy Castle, on which the implementation is based, also
> provides a C# API <http://www.bouncycastle.org/csharp/>, which you might
> be able to integrate on the receiving end.
>
> For reference, here is the current proof-of-concept repository which
> contains the source code for the NiFi components:
>
> https://github.com/exceptionfactory/nifi-cms-bundle
>
> There is also an open Pull Request for NIFI-7836
> <https://github.com/apache/nifi/pull/4557>, which has not yet been
> reviewed.
>
> Please feel free to comment on the PR or the Jira issue
> <https://issues.apache.org/jira/browse/NIFI-7836> if you have any
> thoughts on the implementation or potential use cases.
>
> Regards,
> David Handermann
>
> On Mon, Nov 30, 2020 at 11:03 AM Madhan Vishwas <
> madhan.kolhapure@gmail.com> wrote:
>
>> Hi All,
>> I am using EncryptContent (with PGP) for encrypting Text File  Data.
>> The intent here is to implement Asymmetric Encryption for  Cross-Platform
>> purpose. (Encryption and Data Source is at NiFi side - while the recipient
>> and decryption is at .Net / C# side).
>>
>> However, the organization policies mandate me to move away from PGP.
>>
>> This leaves me with two approaches - one is to use hybrid approach with
>> one of the symmetric algorithms (AES-GCM for instance) used in combination
>> with RSA for encrypting / decrypting the key.
>>
>> Another approach suggested is to use ECC.
>> However, as my understanding goes - as of now NiFi doesn't support ECC
>> and this will likely require custom processor implementation.
>>
>> Any hint / advice on easy implementation of either approach would be
>> hugely appreciated.
>>
>> Thanks in advance.
>> Cheers,
>> Madhan,
>>
>

Re: Data Encryption in NiFi using AES-GCM Hybrid or ECC

[David Handermann <ex...@gmail.com>]

Hi Madhan,

Thanks for summarizing your use case.  EncryptContent supports a variety of
configuration options, but it is currently limited to either password-based
encryption or PGP-based encryption as you described.

As a proof-of-concept, I recently created several custom NiFi Processors
and Controller Services to support content encryption and decryption using
X.509 certificates and keys.  The content format is Cryptographic Message
Syntax (CMS), which is the format underlying S/MIME email encryption.  The
purpose of these components is to support content encryption using standard
public-key infrastructure certificates and keys.  The implementation
currently supports configurable keystores in NiFi, formatted as either JKS
or PKCS12 files.  Bouncy Castle, on which the implementation is based, also
provides a C# API <http://www.bouncycastle.org/csharp/>, which you might be
able to integrate on the receiving end.

For reference, here is the current proof-of-concept repository which
contains the source code for the NiFi components:

https://github.com/exceptionfactory/nifi-cms-bundle

There is also an open Pull Request for NIFI-7836
<https://github.com/apache/nifi/pull/4557>, which has not yet been reviewed.

Please feel free to comment on the PR or the Jira issue
<https://issues.apache.org/jira/browse/NIFI-7836> if you have any thoughts
on the implementation or potential use cases.

Regards,
David Handermann

On Mon, Nov 30, 2020 at 11:03 AM Madhan Vishwas <ma...@gmail.com>
wrote:

> Hi All,
> I am using EncryptContent (with PGP) for encrypting Text File  Data.
> The intent here is to implement Asymmetric Encryption for  Cross-Platform
> purpose. (Encryption and Data Source is at NiFi side - while the recipient
> and decryption is at .Net / C# side).
>
> However, the organization policies mandate me to move away from PGP.
>
> This leaves me with two approaches - one is to use hybrid approach with
> one of the symmetric algorithms (AES-GCM for instance) used in combination
> with RSA for encrypting / decrypting the key.
>
> Another approach suggested is to use ECC.
> However, as my understanding goes - as of now NiFi doesn't support ECC and
> this will likely require custom processor implementation.
>
> Any hint / advice on easy implementation of either approach would be
> hugely appreciated.
>
> Thanks in advance.
> Cheers,
> Madhan,
>