Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1257

Provide additional KDFs for EncryptContent

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

      Description

      Currently, the two key derivation functions (KDF) supported are NiFi Legacy (1000 iterations of MD5 digest over a password and optional salt) and OpenSSL PKCS#5 v1.5 (a single iteration of MD5 digest over a password and optional salt).

      Both of these are very weak – they use a deprecated cryptographic hash function (CHF) with known weakness and susceptibility to collisions (with demonstrated attacks) and a non-configurable and tightly coupled iteration count to derive the key and IV.

      Current best practice KDFs (with work factor recommendations) are as follows:

      • PBKDF2 with variable hash function (SHA1, SHA256, SHA384, SHA512, or ideally HMAC variants of these functions) and variable iteration count (in the 10k - 1M range).
      • bcrypt with work factor of 12 - 16
      • scrypt with work factor of (2^14 - 2^20, 8, 1)

      The salt and iteration count should be stored alongside the hashed record (bcrypt handles this natively).

      Notes:

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              alopresto Andy LoPresto
              Reporter:
              alopresto Andy LoPresto

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment