You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/02/20 18:10:00 UTC

[jira] [Created] (NIFI-8246) Set Default Sensitive Properties Algorithm with Improved KDF and Encryption

David Handermann created NIFI-8246:
--------------------------------------

             Summary: Set Default Sensitive Properties Algorithm with Improved KDF and Encryption
                 Key: NIFI-8246
                 URL: https://issues.apache.org/jira/browse/NIFI-8246
             Project: Apache NiFi
          Issue Type: Sub-task
          Components: Security
    Affects Versions: 1.13.0
            Reporter: David Handermann


The default Sensitive Properties Algorithm specified using {{nifi.sensitive.properties.algorithm}} in {{nifi.properties}} has been {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}} since early release versions.  This default value relies on the {{NiFiLegacyCipherProvider}}, which is deprecated.  The {{NiFiLegacyCipherProvider}} uses the MD5 hash algorithm with 1000 iterations and a random salt.  This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.

Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode.  NIFI-7668 introduces support for additional secure hashing algorithms along with support for AES-GCM.  One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)