[
https://issues.apache.org/jira/browse/NIFI-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038329#comment-15038329
]
ASF GitHub Bot commented on NIFI-1242:
--------------------------------------
GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/139
NIFI-1242 Providing KDF property for encryption to allow compatibility with
OpenSSL
The internal key derivation function used by NiFi, while stronger than
OpenSSL's default (MD5/PKCS#5 v1.5), is not compatible with OpenSSL, so
externally-encrypted files could not be decrypted in NiFi. Added a property on
EncryptContent processor for KDF (defaults to legacy NiFi) to allow integration
of OpenSSL.
Wrote a longer explanation here:
https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/139.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #139
----
commit 25b7108d7befc744a27caf1abeb35c3c36d64288
Author: Andy LoPresto <[email protected]>
Date: 2015-12-02T23:20:46Z
NIFI-1240:
Added explicit reference to Sun Java Cryptographic Service Provider in
PasswordBasedEncryptor.
Removed manual seeding of SecureRandom in PasswordBasedEncryptor.
commit c04844c0480d208074be31ccd9dc72ec92b642df
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T03:05:53Z
NIFI-1242:
Added enum for KeyDerivationFunction.
commit af35c370d3c27d5bd47c63d4b889d6cc21284193
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T03:09:27Z
NIFI-1242:
Added cipher init for legacy and OpenSSL KDFs.
commit 940b6e370ab9cd23a4dbe7dba4bb0d01c02e8cdf
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T04:21:03Z
NIFI-1242:
Added test resources.
plain.txt: This is a plaintext message.
0s @ 19:48:36 $ openssl enc -aes-256-cbc -e -in plain.txt -out
salted_raw.enc -k thisIsABadPassword -p
salt=43CD63B29E1CE1F2
key=8A78D6762B279416B62E1AF50A73339C5D753FBF956092B4235323AD4147D8BE
iv =ED4ED4827BD23DE74D21C8E63DA0B8AE
0s @ 19:49:24 $ xxd salted_raw.enc
0000000: 5361 6c74 6564 5f5f 43cd 63b2 9e1c e1f2 Salted__C.c.....
0000010: c972 11ac 1baa b424 7fb3 156e 4cc6 1f47 .r.....$...nL..G
0000020: 11e5 cedc e343 5203 952d 4500 f9ab 3cbe .....CR..-E...<.
0s @ 20:14:00 $ openssl enc -aes-256-cbc -e -in plain.txt -out
unsalted_raw.enc -k thisIsABadPassword -p -nosalt
key=711E85689CE7AFF6F410AEA43ABC5446842F685B84879B2E00F977C22B9E9A7D
iv =0C90ABF8ECE84B92BAA2CD448EC760F0
0s @ 20:14:17 $ xxd unsalted_raw.enc
0000000: 70cd 2984 fdbb 0e7c c01b 7206 88b1 6b50 p.)....|..r...kP
0000010: 5eeb e4f3 4036 773b 00ce dd8e 85d8 f90a ^...@6w;........
commit 3f481a2e61630df449f8cfd681ba17d76e80e6ab
Author: Andy LoPresto <[email protected]>
Date: 2015-12-03T04:24:27Z
NIFI-1242:
Implemented KDF-dependent PBE in PasswordBasedEncryptor.
Added KDF property to EncryptContent processor and provided to
PasswordBasedEncryptor.
Added unit tests for salted and unsalted raw OpenSSL encrypted file
decryption.
----
> Password-based encryption is not compatible with OpenSSL
> --------------------------------------------------------
>
> Key: NIFI-1242
> URL: https://issues.apache.org/jira/browse/NIFI-1242
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 0.4.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: easyfix, security
> Fix For: 0.4.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Despite the algorithm names indicating compatibility with OpenSSL, the
> current password-based encryption processors cannot decrypt data that was
> encrypted with OpenSSL external to NiFi.
> I will create a new OpenSSLPBEEncryptor implementation, a new
> EncryptionMethod, and wire the logic in EncryptContent to select the correct
> encryptor.
> I have a more in-depth explanation of the issue at
> https://github.com/alopresto/opensslpbeencryptor/blob/master/blog.md, but the
> fix is done in a sandbox and will be moved into NiFi by morning 12/03/15.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
