[ https://issues.apache.org/jira/browse/NIFI-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17681150#comment-17681150 ]
ASF subversion and git services commented on NIFI-11022: -------------------------------------------------------- Commit 0c676b96337a0afb760d78de11e7fb1747794f9d in nifi's branch refs/heads/main from David Handermann [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=0c676b9633 ] NIFI-11022 Added DecryptContent Compatibility Processors - Added nifi-cipher-bundle with nifi-cipher-nar for new Processors - Added DecryptContentCompatibilityMode Processor supporting PKCS5 and PKCS12 Password-Based Encryption Schemes - Added DecryptContentEncoded Processor supporting NiFi Key Derivation Functions and associated formatting - Added nifi-security-crypt-key module with Key Derivation Functions and Parameter Readers - Added Additional Details documentation for Processors This closes #6821 Signed-off-by: Paul Grey <gr...@apache.org> > Add Decrypt Processors Compatible with EncryptContent Encoding > -------------------------------------------------------------- > > Key: NIFI-11022 > URL: https://issues.apache.org/jira/browse/NIFI-11022 > Project: Apache NiFi > Issue Type: New Feature > Components: Extensions, Security > Reporter: David Handermann > Assignee: David Handermann > Priority: Major > Attachments: DecryptContent_Flow.json > > Time Spent: 2h 10m > Remaining Estimate: 0h > > The {{EncryptContent}} Processors supports a wide variety of configuration > options, enabling both encryption and decryption using various algorithms. > Many of these algorithms are not secure according to modern cryptographic > analysis, and existing secure options use a custom encoding format. New > Processors should be added that support decrypting content according to these > legacy and custom formats, which will enable deprecating {{EncryptContent}} > for removal and replacement with other approaches. > The majority allowable values for the {{Encryption Method}} property in > {{EncryptContent}} come from the PKCS #5 Password-Based Cryptography > Specification, described in [RFC > 8018|https://www.rfc-editor.org/rfc/rfc8018]. These algorithm names start > with {{PBE}} and incorporate a message digest function along with a cipher > algorithm. Although these methods include AES, the key derivation process for > all PBE algorithms follows the {{PBES1}} specification from RFC 8018, which > is not secure or suitable for modern applications. The ability to decrypt > older content is useful, but new content should not be encrypted using these > methods. > The PBE algorithms can be configured together with either the {{NiFi Legacy}} > or {{OpenSSL EVP BytesToKey}} option for key derivation. The {{NiFI Legacy}} > option derives from the [Jasypt|http://www.jasypt.org/] library, which > provides a standard wrapper for PBE algorithms that defaults to 1000 > iterations of a selected digest algorithm. The {{OpenSSL EVP}} option > supports compatibility with encryption operations implemented in the > {{OpenSSL}} library and command. > Advanced Key Derivation Functions include Argon2, bcrypt, PBKDF2, and scrypt, > which can be used together with AES in Galois/Counter Mode (GCM) for > authenticated encryption. These options provide much better security than the > legacy PBE methods, but they rely on custom file encoding using byte > delimiters that are specific to Apache NiFi. In addition, these Key > Derivation Functions generate keys of 16 bytes, which supports AES with 128 > bit keys, but not AES with 256 bit keys. NiFi 0.5.0 added bcrypt, PBKDF2, and > scrypt, and NiFi 1.12.0 added Argon2. Decrypting content according to the > custom NiFi encoding should be supported, but other options should be > evaluated separately for encryption in new flows. The salt parameter bytes > associated with Argon2, bcrypt, and scrypt allow for detection of file > encoding, which can enable new decryption processors to be configured without > reference to a specific Key Derivation Function. > Adding new decryption processors will enable clear separation of encryption > and decryption operations, providing a compatible transition path for > historical usage of {{EncryptContent}} without the need to continue > supporting insecure encryption methods. -- This message was sent by Atlassian Jira (v8.20.10#820010)