You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Troy Melhase (JIRA)" <ji...@apache.org> on 2019/04/18 19:57:00 UTC
[jira] [Commented] (NIFI-5285) Re-evaluate memory/time cost
parameters for 2018
[ https://issues.apache.org/jira/browse/NIFI-5285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821449#comment-16821449 ]
Troy Melhase commented on NIFI-5285:
------------------------------------
The test files that check/provide these values are:
* [BcryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy]
* [PBKDF2CipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy]
* [ScryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy]
The tests were enabled on each test host by editing the files:
{{$ sed -i '/@Ignore/d' PBKDF2CipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' ScryptCipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' BcryptCipherProviderGroovyTest.groovy}}
{{Running `mvn test` on a GCP "n1-standard-1" instance (1 vCPU, 3.75 GB memory):}}
{{[ERROR] testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest) Time elapsed: 0.266 s <<< FAILURE!}}
{{[ERROR] testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest) Time elapsed: 0.06 s <<< FAILURE!}}
Running `mvn test` on local laptop (Linux host, i9 2.9 ghz, 32 GB ram):
{{}}{{[ERROR] testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest) Time elapsed: 0.134 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest) Time elapsed: 0.026 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongParameters(org.apache.nifi.security.util.crypto.ScryptCipherProviderGroovyTest) Time elapsed: 0.006 s <<< FAILURE!}}
Locating the calculated work factor values from the test output (via ag "Determined minimum safe", dupes removed):
local laptop:
84:2019-04-18 11:46:24,816 INFO BcryptCipherProviderGroovyTest - Determined minimum safe work factor to be 13
223:2019-04-18 11:46:25,200 INFO ScryptCipherProviderGroovyTest - Determined minimum safe parameters to be N=32768, r=8, p=1
92:2019-04-18 11:46:24,299 INFO PBKDF2CipherProviderGroovyTest - Determined minimum safe iteration count to be 640000
GCP instance:
215:2019-04-18 19:35:33,110 INFO PBKDF2CipherProviderGroovyTest - Determined minimum safe iteration count to be 320000
84:2019-04-18 19:35:33,721 INFO BcryptCipherProviderGroovyTest - Determined minimum safe work factor to be 13
205:2019-04-18 19:35:31,410 INFO ScryptCipherProviderGroovyTest - Determined minimum safe parameters to be N=4096, r=8, p=1
> Re-evaluate memory/time cost parameters for 2018
> ------------------------------------------------
>
> Key: NIFI-5285
> URL: https://issues.apache.org/jira/browse/NIFI-5285
> Project: Apache NiFi
> Issue Type: Task
> Components: Documentation & Website
> Affects Versions: 1.6.0
> Reporter: Andy LoPresto
> Assignee: Troy Melhase
> Priority: Major
> Labels: documentation, security
>
> There are some bcrypt, SCrypt, and PBKDF2 initial parameters which were determined to be secure against a default threat model given best known attacks in 2016. These should be re-evaluated for 2018.
> Administration Guide
> * Line 1303
> * Line 1311
> * Line 1321
> * Line 1637
> If these values are updated, backward-compatibility for internal uses also needs to be evaluated.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)