[jira] [Commented] (NIFI-1257) Provide additional KDFs for EncryptContent

Thu, 04 Feb 2016 07:59:01 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15132488#comment-15132488
 ] 

ASF GitHub Bot commented on NIFI-1257:
--------------------------------------

Github user apiri commented on the pull request:

    https://github.com/apache/nifi/pull/201#issuecomment-179914695
  
    @alopresto I'm running into issues with executing the built assembly 
without the JCE USJ files installed:
    
    > 2016-02-04 10:52:14,023 ERROR [main] org.apache.nifi.NiFi Failure to 
launch NiFi due to java.util.ServiceConfigurationError: 
org.apache.nifi.controller.ControllerService: Provider 
org.apache.nifi.ssl.StandardSSLContextService could not be instantiated
    java.util.ServiceConfigurationError: 
org.apache.nifi.controller.ControllerService: Provider 
org.apache.nifi.ssl.StandardSSLContextService could not be instantiated
        at java.util.ServiceLoader.fail(ServiceLoader.java:232) ~[na:1.8.0_60]
        at java.util.ServiceLoader.access$100(ServiceLoader.java:185) 
~[na:1.8.0_60]
        at 
java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:384) 
~[na:1.8.0_60]
        at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) 
~[na:1.8.0_60]
        at java.util.ServiceLoader$1.next(ServiceLoader.java:480) ~[na:1.8.0_60]
        at 
org.apache.nifi.nar.ExtensionManager.loadExtensions(ExtensionManager.java:107) 
~[nifi-nar-utils-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
        at 
org.apache.nifi.nar.ExtensionManager.discoverExtensions(ExtensionManager.java:88)
 ~[nifi-nar-utils-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
        at org.apache.nifi.NiFi.<init>(NiFi.java:120) 
~[nifi-runtime-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
        at org.apache.nifi.NiFi.main(NiFi.java:227) 
~[nifi-runtime-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
    Caused by: java.lang.ExceptionInInitializerError: null
        at javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65) 
~[na:1.8.0_60]
        at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2587) 
~[na:1.8.0_60]
        at javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2611) 
~[na:1.8.0_60]
        at 
sun.security.ssl.CipherSuite$BulkCipher.isAvailable(CipherSuite.java:548) 
~[na:1.8.0_60]
        at 
sun.security.ssl.CipherSuite$BulkCipher.isAvailable(CipherSuite.java:527) 
~[na:1.8.0_60]
        at sun.security.ssl.CipherSuite.isAvailable(CipherSuite.java:194) 
~[na:1.8.0_60]
        at 
sun.security.ssl.SSLContextImpl.getApplicableCipherSuiteList(SSLContextImpl.java:346)
 ~[na:1.8.0_60]
        at 
sun.security.ssl.SSLContextImpl.getDefaultCipherSuiteList(SSLContextImpl.java:297)
 ~[na:1.8.0_60]
        at sun.security.ssl.SSLEngineImpl.init(SSLEngineImpl.java:402) 
~[na:1.8.0_60]
        at sun.security.ssl.SSLEngineImpl.<init>(SSLEngineImpl.java:349) 
~[na:1.8.0_60]
        at 
sun.security.ssl.SSLContextImpl.engineCreateSSLEngine(SSLContextImpl.java:201) 
~[na:1.8.0_60]
        at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:329) 
~[na:1.8.0_60]
        at 
org.apache.nifi.ssl.StandardSSLContextService.buildAlgorithmAllowableValues(StandardSSLContextService.java:424)
 ~[nifi-ssl-context-service-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
        at 
org.apache.nifi.ssl.StandardSSLContextService.<clinit>(StandardSSLContextService.java:103)
 ~[nifi-ssl-context-service-0.4.2-SNAPSHOT.jar:0.4.2-SNAPSHOT]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method) ~[na:1.8.0_60]
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
 ~[na:1.8.0_60]
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 ~[na:1.8.0_60]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422) 
~[na:1.8.0_60]
        at java.lang.Class.newInstance(Class.java:442) ~[na:1.8.0_60]
        at 
java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) 
~[na:1.8.0_60]
        ... 6 common frames omitted
    Caused by: java.lang.SecurityException: Can not initialize cryptographic 
mechanism
        at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:89) ~[na:1.8.0_60]
        ... 26 common frames omitted
    Caused by: java.lang.SecurityException: Cannot locate policy or framework 
files!
        at 
javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:256) 
~[na:1.8.0_60]
        at javax.crypto.JceSecurity.access$000(JceSecurity.java:48) 
~[na:1.8.0_60]
        at javax.crypto.JceSecurity$1.run(JceSecurity.java:81) ~[na:1.8.0_60]
        at java.security.AccessController.doPrivileged(Native Method) 
~[na:1.8.0_60]
        at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78) ~[na:1.8.0_60]
        ... 26 common frames omitted
    
    With them installed, NiFi starts and works as anticipated.  Will dig in a 
bit more to see what changed to cause the issue within
        at 
org.apache.nifi.ssl.StandardSSLContextService.buildAlgorithmAllowableValues(StandardSSLContextService.java:424)
 


> Provide additional KDFs for EncryptContent
> ------------------------------------------
>
>                 Key: NIFI-1257
>                 URL: https://issues.apache.org/jira/browse/NIFI-1257
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.4.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Critical
>              Labels: encryption, security
>             Fix For: 0.5.0
>
>
> Currently, the two key derivation functions (KDF) supported are NiFi Legacy 
> (1000 iterations of MD5 digest over a password and optional salt) and OpenSSL 
> PKCS#5 v1.5 (a single iteration of MD5 digest over a password and optional 
> salt). 
> Both of these are very weak -- they use a deprecated cryptographic hash 
> function (CHF) with known weakness and susceptibility to collisions (with 
> demonstrated attacks) and a non-configurable and tightly coupled iteration 
> count to derive the key and IV. 
> Current best practice KDFs (with work factor recommendations) are as follows:
> * PBKDF2 with variable hash function (SHA1, SHA256, SHA384, SHA512, or 
> ideally HMAC variants of these functions) and variable iteration count (in 
> the 10k - 1M range). 
> * bcrypt with work factor of 12 - 16
> * scrypt with work factor of (2^14 - 2^20, 8, 1)
> The salt and iteration count should be stored alongside the hashed record 
> (bcrypt handles this natively). 
> Notes:
> * http://wildlyinaccurate.com/bcrypt-choosing-a-work-factor/
> * http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
> * 
> http://security.stackexchange.com/questions/17207/recommended-of-rounds-for-bcrypt
> * 
> http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256/3993#3993
> * 
> http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/6415
>  
> * 
> http://web.archive.org/web/20130407190430/http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
> * 
> https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
> * http://www.tarsnap.com/scrypt.html
> * http://www.tarsnap.com/scrypt/scrypt.pdf



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to