[
https://issues.apache.org/jira/browse/NIFI-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17681150#comment-17681150
]
ASF subversion and git services commented on NIFI-11022:
--------------------------------------------------------
Commit 0c676b96337a0afb760d78de11e7fb1747794f9d in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=0c676b9633 ]
NIFI-11022 Added DecryptContent Compatibility Processors
- Added nifi-cipher-bundle with nifi-cipher-nar for new Processors
- Added DecryptContentCompatibilityMode Processor supporting PKCS5 and PKCS12
Password-Based Encryption Schemes
- Added DecryptContentEncoded Processor supporting NiFi Key Derivation
Functions and associated formatting
- Added nifi-security-crypt-key module with Key Derivation Functions and
Parameter Readers
- Added Additional Details documentation for Processors
This closes #6821
Signed-off-by: Paul Grey <gr...@apache.org>
> Add Decrypt Processors Compatible with EncryptContent Encoding
> --------------------------------------------------------------
>
> Key: NIFI-11022
> URL: https://issues.apache.org/jira/browse/NIFI-11022
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions, Security
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Attachments: DecryptContent_Flow.json
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> The {{EncryptContent}} Processors supports a wide variety of configuration
> options, enabling both encryption and decryption using various algorithms.
> Many of these algorithms are not secure according to modern cryptographic
> analysis, and existing secure options use a custom encoding format. New
> Processors should be added that support decrypting content according to these
> legacy and custom formats, which will enable deprecating {{EncryptContent}}
> for removal and replacement with other approaches.
> The majority allowable values for the {{Encryption Method}} property in
> {{EncryptContent}} come from the PKCS #5 Password-Based Cryptography
> Specification, described in [RFC
> 8018|https://www.rfc-editor.org/rfc/rfc8018]. These algorithm names start
> with {{PBE}} and incorporate a message digest function along with a cipher
> algorithm. Although these methods include AES, the key derivation process for
> all PBE algorithms follows the {{PBES1}} specification from RFC 8018, which
> is not secure or suitable for modern applications. The ability to decrypt
> older content is useful, but new content should not be encrypted using these
> methods.
> The PBE algorithms can be configured together with either the {{NiFi Legacy}}
> or {{OpenSSL EVP BytesToKey}} option for key derivation. The {{NiFI Legacy}}
> option derives from the [Jasypt|http://www.jasypt.org/] library, which
> provides a standard wrapper for PBE algorithms that defaults to 1000
> iterations of a selected digest algorithm. The {{OpenSSL EVP}} option
> supports compatibility with encryption operations implemented in the
> {{OpenSSL}} library and command.
> Advanced Key Derivation Functions include Argon2, bcrypt, PBKDF2, and scrypt,
> which can be used together with AES in Galois/Counter Mode (GCM) for
> authenticated encryption. These options provide much better security than the
> legacy PBE methods, but they rely on custom file encoding using byte
> delimiters that are specific to Apache NiFi. In addition, these Key
> Derivation Functions generate keys of 16 bytes, which supports AES with 128
> bit keys, but not AES with 256 bit keys. NiFi 0.5.0 added bcrypt, PBKDF2, and
> scrypt, and NiFi 1.12.0 added Argon2. Decrypting content according to the
> custom NiFi encoding should be supported, but other options should be
> evaluated separately for encryption in new flows. The salt parameter bytes
> associated with Argon2, bcrypt, and scrypt allow for detection of file
> encoding, which can enable new decryption processors to be configured without
> reference to a specific Key Derivation Function.
> Adding new decryption processors will enable clear separation of encryption
> and decryption operations, providing a compatible transition path for
> historical usage of {{EncryptContent}} without the need to continue
> supporting insecure encryption methods.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
