Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1257

Provide additional KDFs for EncryptContent

    XMLWordPrintableJSON

    Details

      Description

      Currently, the two key derivation functions (KDF) supported are NiFi Legacy (1000 iterations of MD5 digest over a password and optional salt) and OpenSSL PKCS#5 v1.5 (a single iteration of MD5 digest over a password and optional salt).

      Both of these are very weak – they use a deprecated cryptographic hash function (CHF) with known weakness and susceptibility to collisions (with demonstrated attacks) and a non-configurable and tightly coupled iteration count to derive the key and IV.

      Current best practice KDFs (with work factor recommendations) are as follows:

      • PBKDF2 with variable hash function (SHA1, SHA256, SHA384, SHA512, or ideally HMAC variants of these functions) and variable iteration count (in the 10k - 1M range).
      • bcrypt with work factor of 12 - 16
      • scrypt with work factor of (2^14 - 2^20, 8, 1)

      The salt and iteration count should be stored alongside the hashed record (bcrypt handles this natively).

      Notes:

        Attachments

        1. 1257_salt_patch.diff
          288 kB
          Andy LoPresto

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: