Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.5.0
Description
Currently, NiFi accepts a password and encryption algorithm in nifi.properties which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to PBEWITHMD5AND256BITAES-CBC-OPENSSL. This algorithm:
- uses a digest function (MD5) which is not cryptographically secure [1][2][3][4]
- uses a single iteration count [5][6]
- limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed
NIFI-1255
all of which combine to make it extremely insecure. We should change the default algorithm to use a strong key derivation function (KDF) [7] which will properly derive a key to protect the sensitive properties.
Because existing systems have already encrypted the properties using a key derived from the original settings, we should provide a translation/upgrade utility to seamlessly convert the stored values from the old password & algorithm combination to the new.
[1] http://security.stackexchange.com/a/19908/16485
[2] http://security.stackexchange.com/a/31846/16485
[3] http://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function
[4] http://security.stackexchange.com/a/31410/16485
[5] http://security.stackexchange.com/a/29139/16485
[6] https://www.openssl.org/docs/manmaster/crypto/EVP_BytesToKey.html
[7] https://cwiki.apache.org/confluence/display/NIFI/Key+Derivation+Function+Explanations
Attachments
Attachments
Issue Links
- is fixed by
-
NIFI-8246 Set Default Sensitive Properties Algorithm with Improved KDF and Encryption
- Resolved
- is related to
-
NIFI-3024 Encrypted configuration migrator should be able to update sensitive properties key and migrate flow.xml.gz
- Resolved
-
NIFI-3116 Remove Jasypt library
- Resolved
-
NIFI-7668 Add configurable PBE AEAD algorithms to flow encryption
- Resolved
- links to