Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1257

Provide additional KDFs for EncryptContent

    XMLWordPrintableJSON

Details

    Description

      Currently, the two key derivation functions (KDF) supported are NiFi Legacy (1000 iterations of MD5 digest over a password and optional salt) and OpenSSL PKCS#5 v1.5 (a single iteration of MD5 digest over a password and optional salt).

      Both of these are very weak – they use a deprecated cryptographic hash function (CHF) with known weakness and susceptibility to collisions (with demonstrated attacks) and a non-configurable and tightly coupled iteration count to derive the key and IV.

      Current best practice KDFs (with work factor recommendations) are as follows:

      • PBKDF2 with variable hash function (SHA1, SHA256, SHA384, SHA512, or ideally HMAC variants of these functions) and variable iteration count (in the 10k - 1M range).
      • bcrypt with work factor of 12 - 16
      • scrypt with work factor of (2^14 - 2^20, 8, 1)

      The salt and iteration count should be stored alongside the hashed record (bcrypt handles this natively).

      Notes:

      Attachments

        1. 1257_salt_patch.diff
          288 kB
          Andy LoPresto

        Issue Links

          contains

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1259 Provide keyed symmetric encryption capability

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-1242 Password-based encryption is not compatible with OpenSSL

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-1463 Alert users about potentially unsafe password and algorithm combinations when using PBE

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1259 Provide keyed symmetric encryption capability

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1474 Enforce p boundary in Scrypt

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Resolved
          mentioned in

          Page Loading...

          Activity

            People

              alopresto Andy LoPresto
              alopresto Andy LoPresto
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: