You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/02/22 22:56:00 UTC

[jira] [Commented] (NIFI-8132) Replace Framework Uses of MD5 with Modern Algorithm

    [ https://issues.apache.org/jira/browse/NIFI-8132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17288675#comment-17288675 ] 

ASF subversion and git services commented on NIFI-8132:
-------------------------------------------------------

Commit 418e2cc2cba69afb522a61bfeaf61ae213d101ed in nifi's branch refs/heads/main from exceptionfactory
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=418e2cc ]

NIFI-8132 Replaced framework uses of MD5 with SHA-256

NIFI-8132 Added FileDigestUtils in nifi-nar-utils to avoid dependency on nifi-utils

NIFI-8132 Removed unused imports from NarUnpacker

NIFI-8132 Removed MD5 references from FileUtils documentation

NIFI-8132 Replaced StringBuffer with StringBuilder and made new DigestUtils classes final

NIFI-8132 Replaced Collections.sort() with Stream.sorted()

Signed-off-by: Nathan Gough <th...@gmail.com>

This closes #4788.


> Replace Framework Uses of MD5 with Modern Algorithm
> ---------------------------------------------------
>
>                 Key: NIFI-8132
>                 URL: https://issues.apache.org/jira/browse/NIFI-8132
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.12.1
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>              Labels: FIPS, MD5, security
>          Time Spent: 4h 20m
>  Remaining Estimate: 0h
>
> [RFC 1321|https://tools.ietf.org/html/rfc1321] was published in 1992 and described the MD5 message-digest algorithm. Multiple researchers have found [security issues|https://en.wikipedia.org/wiki/MD5#Security] in the MD5 algorithm. The Federal Information Processing Standard 140-2 does not allow MD5 to be used.
> Several NiFi framework classes use the MD5 algorithm for determining whether file contents have changed. Although these uses do not relate directly to encryption operations, use of the MD5 algorithm should be replaced with a modern algorithm that is not subject to the same security issues.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)