[NIFI-8246] Set Default Sensitive Properties Algorithm with Improved KDF and Encryption - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.13.0
Fix Version/s: 1.14.0
Component/s: Security
Labels:
None

Description

The default Sensitive Properties Algorithm specified using nifi.sensitive.properties.algorithm in nifi.properties has been PBEWITHMD5AND256BITAES-CBC-OPENSSL since early release versions. This default value relies on the NiFiLegacyCipherProvider, which is deprecated. The NiFiLegacyCipherProvider uses the MD5 hash algorithm with 1000 iterations and a random salt. This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.

Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode. ~~NIFI-7668~~ introduces support for additional secure hashing algorithms along with support for AES-GCM. One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.

Attachments

Issue Links

depends upon

NIFI-8230 Remove default Sensitive Properties Key

Resolved

fixes

NIFI-1465 Upgrade encryption of sensitive properties

Resolved

relates to

NIFI-9254 Update Default Sensitive Properties Configuration for Stateless

Resolved

links to

GitHub Pull Request #5055

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Feb/21 18:09

Updated:: 28/Sep/21 16:15

Resolved:: 12/May/21 11:00

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m