[
https://issues.apache.org/jira/browse/NIFI-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129756#comment-15129756
]
Andy LoPresto edited comment on NIFI-1255 at 2/3/16 4:14 AM:
-------------------------------------------------------------
Longest supported password by encryption method:
PBEWITHMD5AND128BITAES-CBC-OPENSSL 16
PBEWITHMD5AND192BITAES-CBC-OPENSSL 16
PBEWITHMD5AND256BITAES-CBC-OPENSSL 16
PBEWITHMD5ANDDES 16
PBEWITHMD5ANDRC2 16
PBEWITHSHA1ANDRC2 16
PBEWITHSHA1ANDDES 16
PBEWITHSHAAND128BITAES-CBC-BC 7
PBEWITHSHAAND192BITAES-CBC-BC 7
PBEWITHSHAAND256BITAES-CBC-BC 7
PBEWITHSHAAND40BITRC2-CBC 7
PBEWITHSHAAND128BITRC2-CBC 7
PBEWITHSHAAND40BITRC4 7
PBEWITHSHAAND128BITRC4 7
PBEWITHSHA256AND128BITAES-CBC-BC 7
PBEWITHSHA256AND192BITAES-CBC-BC 7
PBEWITHSHA256AND256BITAES-CBC-BC 7
PBEWITHSHAAND2-KEYTRIPLEDES-CBC 7
PBEWITHSHAAND3-KEYTRIPLEDES-CBC 7
PBEWITHSHAANDTWOFISH-CBC 7
was (Author: alopresto):
{{Longest supported password by encryption method:
PBEWITHMD5AND128BITAES-CBC-OPENSSL 16
PBEWITHMD5AND192BITAES-CBC-OPENSSL 16
PBEWITHMD5AND256BITAES-CBC-OPENSSL 16
PBEWITHMD5ANDDES 16
PBEWITHMD5ANDRC2 16
PBEWITHSHA1ANDRC2 16
PBEWITHSHA1ANDDES 16
PBEWITHSHAAND128BITAES-CBC-BC 7
PBEWITHSHAAND192BITAES-CBC-BC 7
PBEWITHSHAAND256BITAES-CBC-BC 7
PBEWITHSHAAND40BITRC2-CBC 7
PBEWITHSHAAND128BITRC2-CBC 7
PBEWITHSHAAND40BITRC4 7
PBEWITHSHAAND128BITRC4 7
PBEWITHSHA256AND128BITAES-CBC-BC 7
PBEWITHSHA256AND192BITAES-CBC-BC 7
PBEWITHSHA256AND256BITAES-CBC-BC 7
PBEWITHSHAAND2-KEYTRIPLEDES-CBC 7
PBEWITHSHAAND3-KEYTRIPLEDES-CBC 7
PBEWITHSHAANDTWOFISH-CBC 7}}
> Evaluate JCE cryptography with PBE and limited strength cryptography
> --------------------------------------------------------------------
>
> Key: NIFI-1255
> URL: https://issues.apache.org/jira/browse/NIFI-1255
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.4.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: encryption, security
> Fix For: 0.6.0
>
> Attachments: PBE_cipher_max_password_lengths.txt
>
>
> As documented in NIFI-1242 and PR-140, there is an issue with the way we are
> providing encryption algorithms. Currently, NiFi allows the use of many AES
> ciphers with 128, 192, or 256 bit key size, regardless of the JCE Unlimited
> Strength Cryptography Policies (required for the use of AES with a key above
> 128 bits) installed.
> Java does enforce a key check, but it does this during cipher.init(), before
> the actual encryption key has been derived from the password. Instead, it
> validates the length of the **raw password**. It then derives a key of the
> correct length, regardless of the policies in place. This has been verified
> on systems without the JCE USC policies installed using OpenSSL AES-256-CBC.
> Default JRE:
> Cipher | Password length | Should Work | Does Work
> --------|-----------------|-------------|-----------
> AES-128 | <= 16 chars | YES | YES
> AES-128 | > 16 chars | YES | NO
> AES-192 | <= 16 chars | NO | YES
> AES-192 | > 16 chars | NO | NO
> AES-256 | <= 16 chars | NO | YES
> AES-256 | > 16 chars | NO | NO
> Currently (0.4.0) [~aldrin] and I created a patch which allows custom
> validation to determine if the combination of key size and password length
> will be successful if the system has limited strength cryptography. However,
> we should re-evaluate how we do password-based encryption (not to mention
> adding stronger algorithms, key-based encryption, authenticated encryption,
> etc.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
