You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2016/02/04 01:58:39 UTC

[jira] [Created] (NIFI-1465) Upgrade encryption of sensitive properties

Andy LoPresto created NIFI-1465:
-----------------------------------

             Summary: Upgrade encryption of sensitive properties
                 Key: NIFI-1465
                 URL: https://issues.apache.org/jira/browse/NIFI-1465
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 0.5.0
            Reporter: Andy LoPresto
            Assignee: Andy LoPresto
             Fix For: 0.6.0


Currently, NiFi accepts a password and encryption algorithm in `nifi.properties` which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to `PBEWITHMD5AND256BITAES-CBC-OPENSSL`. This algorithm:

* uses a digest function (`MD5`) which is not cryptographically secure [1][2][3][4]
* uses a single iteration count [5][6]
* limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed [NIFI-1255]

all of which combine to make it extremely insecure. We should change the default algorithm to use a strong key derivation function (KDF) [7] which will properly derive a key to protect the sensitive properties. 

Because existing systems have already encrypted the properties using a key derived from the original settings, we should provide a translation/upgrade utility to seamlessly convert the stored values from the old password & algorithm combination to the new. 

[1] http://security.stackexchange.com/a/19908/16485
[2] http://security.stackexchange.com/a/31846/16485
[3] http://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function
[4] http://security.stackexchange.com/a/31410/16485
[5] http://security.stackexchange.com/a/29139/16485
[6] https://www.openssl.org/docs/manmaster/crypto/EVP_BytesToKey.html
[7] https://cwiki.apache.org/confluence/display/NIFI/Key+Derivation+Function+Explanations



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)