Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1465

Upgrade encryption of sensitive properties

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Currently, NiFi accepts a password and encryption algorithm in nifi.properties which are used to encrypt all sensitive processor properties throughout the application. The password defaults to empty and the algorithm defaults to PBEWITHMD5AND256BITAES-CBC-OPENSSL. This algorithm:

      • uses a digest function (MD5) which is not cryptographically secure [1][2][3][4]
      • uses a single iteration count [5][6]
      • limits password input to 16 characters on JVMs without the unlimited strength cryptographic jurisdiction policy files installed NIFI-1255

      all of which combine to make it extremely insecure. We should change the default algorithm to use a strong key derivation function (KDF) [7] which will properly derive a key to protect the sensitive properties.

      Because existing systems have already encrypted the properties using a key derived from the original settings, we should provide a translation/upgrade utility to seamlessly convert the stored values from the old password & algorithm combination to the new.

      [1] http://security.stackexchange.com/a/19908/16485
      [2] http://security.stackexchange.com/a/31846/16485
      [3] http://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function
      [4] http://security.stackexchange.com/a/31410/16485
      [5] http://security.stackexchange.com/a/29139/16485
      [6] https://www.openssl.org/docs/manmaster/crypto/EVP_BytesToKey.html
      [7] https://cwiki.apache.org/confluence/display/NIFI/Key+Derivation+Function+Explanations

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            exceptionfactory David Handermann
            alopresto Andy LoPresto
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 120h
                120h
                Remaining:
                Remaining Estimate - 120h
                120h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment