You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/07/29 07:30:01 UTC
[jira] [Commented] (NIFI-7669) Add flow protection key caching
mechanism for derived keys
[ https://issues.apache.org/jira/browse/NIFI-7669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17166993#comment-17166993 ]
ASF subversion and git services commented on NIFI-7669:
-------------------------------------------------------
Commit 716ba992f5b4641c20465638d62d1e3ffe91d118 in nifi's branch refs/heads/main from Andy LoPresto
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=716ba99 ]
NIFI-7669 Changed custom PBE AEAD algorithm to derive key once rather than on every encrypt/decrypt operation, leading to substantial performance gains.
Updated documentation.
Added unit tests.
NIFI-7669 Moved time-based encryption tests to integration tests to avoid running during CI builds.
NIFI-7669 Fixed failing test due to nifi.properties initialization.
Signed-off-by: Pierre Villard <pi...@gmail.com>
This closes #4435.
> Add flow protection key caching mechanism for derived keys
> ----------------------------------------------------------
>
> Key: NIFI-7669
> URL: https://issues.apache.org/jira/browse/NIFI-7669
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration, Core Framework
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: caching, encryption, kdf, performance, security
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The specific algorithm introduced in NIFI-7638 introduces a ~1 sec delay in every encryption operation (which occurs during every flow synchronization and serialization to disk) due to the Argon2 KDF process. This is an acceptable tradeoff for security-conscious users at this time, but can be improved through a key caching mechanism in memory. Deriving the key once at application startup and using it directly will remove this delay, and the key cannot change without an application restart.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)