You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2015/12/02 22:04:11 UTC
[jira] [Commented] (NIFI-1242) Password-based encryption is not
compatible with OpenSSL
[ https://issues.apache.org/jira/browse/NIFI-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036618#comment-15036618 ]
Andy LoPresto commented on NIFI-1242:
-------------------------------------
After discussion with [~joewitt] we will provide a new property on the encryption processor to allow users to select the KDF -- the current option will be "NiFi legacy" and a new option will be "OpenSSL MD5 PBKDF1.5", compatible with OpenSSL command-line (EVP_BytesToKey). In the future, options like bcrypt, scrypt, and PBKDF2 will be supported.
> Password-based encryption is not compatible with OpenSSL
> --------------------------------------------------------
>
> Key: NIFI-1242
> URL: https://issues.apache.org/jira/browse/NIFI-1242
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 0.4.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: easyfix, security
> Fix For: 0.4.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Despite the algorithm names indicating compatibility with OpenSSL, the current password-based encryption processors cannot decrypt data that was encrypted with OpenSSL external to NiFi.
> I will create a new OpenSSLPBEEncryptor implementation, a new EncryptionMethod, and wire the logic in EncryptContent to select the correct encryptor.
> I have a more in-depth explanation of the issue at https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md, but the fix is done in a sandbox and will be moved into NiFi by morning 12/03/15.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)