Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8220 Establish a secure by default configuration for NiFi
  3. NIFI-8246

Set Default Sensitive Properties Algorithm with Improved KDF and Encryption

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Patch Available
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.13.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      The default Sensitive Properties Algorithm specified using nifi.sensitive.properties.algorithm in nifi.properties has been PBEWITHMD5AND256BITAES-CBC-OPENSSL since early release versions.  This default value relies on the NiFiLegacyCipherProvider, which is deprecated.  The NiFiLegacyCipherProvider uses the MD5 hash algorithm with 1000 iterations and a random salt.  This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.

      Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode.  NIFI-7668 introduces support for additional secure hashing algorithms along with support for AES-GCM.  One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                exceptionfactory David Handermann
                Reporter:
                exceptionfactory David Handermann
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m