Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8220 Establish a secure by default configuration for NiFi
  3. NIFI-8246

Set Default Sensitive Properties Algorithm with Improved KDF and Encryption

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.13.0
    • 1.14.0
    • Security
    • None

    Description

      The default Sensitive Properties Algorithm specified using nifi.sensitive.properties.algorithm in nifi.properties has been PBEWITHMD5AND256BITAES-CBC-OPENSSL since early release versions.  This default value relies on the NiFiLegacyCipherProvider, which is deprecated.  The NiFiLegacyCipherProvider uses the MD5 hash algorithm with 1000 iterations and a random salt.  This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.

      Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode.  NIFI-7668 introduces support for additional secure hashing algorithms along with support for AES-GCM.  One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.

      Attachments

        Issue Links

          Activity

            People

              exceptionfactory David Handermann
              exceptionfactory David Handermann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m