[
https://issues.apache.org/jira/browse/NIFI-5285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821449#comment-16821449
]
Troy Melhase edited comment on NIFI-5285 at 4/18/19 7:58 PM:
-------------------------------------------------------------
The test files that check/provide these values are:
*
[BcryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy]
*
[PBKDF2CipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy]
*
[ScryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy]
The tests were enabled on each test host by editing the files:
{{$ sed -i '/@Ignore/d' PBKDF2CipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' ScryptCipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' BcryptCipherProviderGroovyTest.groovy}}
{{Running `mvn test` on a GCP "n1-standard-1" instance (1 vCPU, 3.75 GB
memory):}}
{{[ERROR]
testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest)
Time elapsed: 0.266 s <<< FAILURE!}}
{{[ERROR]
testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest)
Time elapsed: 0.06 s <<< FAILURE!}}
Running `mvn test` on local laptop (Linux host, i9 2.9 ghz, 32 GB ram):
{{[ERROR]
testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest)
Time elapsed: 0.134 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest)
Time elapsed: 0.026 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongParameters(org.apache.nifi.security.util.crypto.ScryptCipherProviderGroovyTest)
Time elapsed: 0.006 s <<< FAILURE!}}
{{Locating the calculated work factor values from the test output (via ag
"Determined minimum safe", dupes, dates, line numbers removed):}}
local laptop:
{{INFO BcryptCipherProviderGroovyTest - Determined minimum safe work factor to
be 13}}
{{ INFO ScryptCipherProviderGroovyTest - Determined minimum safe parameters to
be N=32768, r=8, p=1}}
{{ INFO PBKDF2CipherProviderGroovyTest - Determined minimum safe iteration
count to be 640000}}
{{GCP instance:}}
{{INFO PBKDF2CipherProviderGroovyTest - Determined minimum safe iteration
count to be 320000}}
{{ INFO BcryptCipherProviderGroovyTest - Determined minimum safe work factor
to be 13}}
{{ INFO ScryptCipherProviderGroovyTest - Determined minimum safe parameters to
be N=4096, r=8, p=1}}
was (Author: tmelhase):
The test files that check/provide these values are:
*
[BcryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/BcryptCipherProviderGroovyTest.groovy]
*
[PBKDF2CipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/PBKDF2CipherProviderGroovyTest.groovy]
*
[ScryptCipherProviderGroovyTest.groovy|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/crypto/ScryptCipherProviderGroovyTest.groovy]
The tests were enabled on each test host by editing the files:
{{$ sed -i '/@Ignore/d' PBKDF2CipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' ScryptCipherProviderGroovyTest.groovy}}
{{$ sed -i '/@Ignore/d' BcryptCipherProviderGroovyTest.groovy}}
{{Running `mvn test` on a GCP "n1-standard-1" instance (1 vCPU, 3.75 GB
memory):}}
{{[ERROR]
testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest)
Time elapsed: 0.266 s <<< FAILURE!}}
{{[ERROR]
testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest)
Time elapsed: 0.06 s <<< FAILURE!}}
Running `mvn test` on local laptop (Linux host, i9 2.9 ghz, 32 GB ram):
{{}}{{[ERROR]
testDefaultConstructorShouldProvideStrongIterationCount(org.apache.nifi.security.util.crypto.PBKDF2CipherProviderGroovyTest)
Time elapsed: 0.134 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongWorkFactor(org.apache.nifi.security.util.crypto.BcryptCipherProviderGroovyTest)
Time elapsed: 0.026 s <<< FAILURE!}}{{[ERROR] }}
{{testDefaultConstructorShouldProvideStrongParameters(org.apache.nifi.security.util.crypto.ScryptCipherProviderGroovyTest)
Time elapsed: 0.006 s <<< FAILURE!}}
Locating the calculated work factor values from the test output (via ag
"Determined minimum safe", dupes removed):
local laptop:
84:2019-04-18 11:46:24,816 INFO BcryptCipherProviderGroovyTest - Determined
minimum safe work factor to be 13
223:2019-04-18 11:46:25,200 INFO ScryptCipherProviderGroovyTest - Determined
minimum safe parameters to be N=32768, r=8, p=1
92:2019-04-18 11:46:24,299 INFO PBKDF2CipherProviderGroovyTest - Determined
minimum safe iteration count to be 640000
GCP instance:
215:2019-04-18 19:35:33,110 INFO PBKDF2CipherProviderGroovyTest - Determined
minimum safe iteration count to be 320000
84:2019-04-18 19:35:33,721 INFO BcryptCipherProviderGroovyTest - Determined
minimum safe work factor to be 13
205:2019-04-18 19:35:31,410 INFO ScryptCipherProviderGroovyTest - Determined
minimum safe parameters to be N=4096, r=8, p=1
> Re-evaluate memory/time cost parameters for 2018
> ------------------------------------------------
>
> Key: NIFI-5285
> URL: https://issues.apache.org/jira/browse/NIFI-5285
> Project: Apache NiFi
> Issue Type: Task
> Components: Documentation & Website
> Affects Versions: 1.6.0
> Reporter: Andy LoPresto
> Assignee: Troy Melhase
> Priority: Major
> Labels: documentation, security
>
> There are some bcrypt, SCrypt, and PBKDF2 initial parameters which were
> determined to be secure against a default threat model given best known
> attacks in 2016. These should be re-evaluated for 2018.
> Administration Guide
> * Line 1303
> * Line 1311
> * Line 1321
> * Line 1637
> If these values are updated, backward-compatibility for internal uses also
> needs to be evaluated.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
