You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/03/13 17:56:00 UTC

[jira] [Updated] (NIFI-11277) Deprecate bcrypt and scrypt Sensitive Properties Algorithms

     [ https://issues.apache.org/jira/browse/NIFI-11277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Handermann updated NIFI-11277:
------------------------------------
    Status: Patch Available  (was: Open)

> Deprecate bcrypt and scrypt Sensitive Properties Algorithms
> -----------------------------------------------------------
>
>                 Key: NIFI-11277
>                 URL: https://issues.apache.org/jira/browse/NIFI-11277
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>             Fix For: 1.21.0, 1.latest
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> NiFi 1.14.0 included new Sensitive Properties Algorithms supporting the following key derivation functions:
>  * bcrypt
>  * scrypt
>  * PBKDF2
> NiFi 1.14.0 also changed the default Sensitive Properties Algorithm to {{NIFI_PBKDF2_AES_GCM_256}} to provide better security than the previous default setting.
> Algorithm selection can be challenging, making sensible defaults an important part of the standard configuration. Supporting a variety of algorithms introduces unnecessary complexity and maintenance.
> [Argon2|https://en.wikipedia.org/wiki/Argon2] incorporates both processing and memory cost factors, making it the ideal solution for many deployments. [PBKDF2|https://en.wikipedia.org/wiki/PBKDF2] supports a processing iteration cost factor and is approved for use on systems requiring compliance with FIPS-140 standards. The [bcrypt|https://en.wikipedia.org/wiki/Bcrypt] algorithm provides strong security using a configurable work factor, but does not have the memory hardness properties of Argon2. The [scrypt|https://en.wikipedia.org/wiki/Scrypt] algorithm supports both processing and memory cost parameters, similar to Argon2.
> Based on algorithm properties, the available options for the NiFi Sensitive Properties Algorithm should be reduced to Argon2 and PBKDF2 with AES-GCM and 256 bit keys.
>  * NIFI_ARGON2_AES_GCM_256
>  * NIFI_PBKDF2_AES_GCM_256
> The {{NIFI_ARGON2_AES_GCM_256}} option has been available since NiFi 1.12.0. There is little value in supporting non-default 128 bit key variants of AES-GCM for the purpose of encrypting sensitive property values. Deprecating the non-default {{bcrypt}} and {{scrypt}} variants for removal in NiFi 2.0 will also provide a clearer set of recommendations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)