[jira] [Resolved] (NIFI-7905) MergeContent should support password-protected Zip archives

Thu, 18 Mar 2021 12:58:10 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-7905?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann resolved NIFI-7905.
------------------------------------
    Resolution: Won't Fix

The encryption options supported in Zip4J do not meet current best practices 
for AES encryption using AEAD.  Users interested in creating encrypted archives 
should evaluate other options.

> MergeContent should support password-protected Zip archives
> -----------------------------------------------------------
>
>                 Key: NIFI-7905
>                 URL: https://issues.apache.org/jira/browse/NIFI-7905
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: encryption, security, zip
>
> MergeContent should be improved to support creation of password-protected Zip 
> files.  NIFI-7777 introduced support of decrypting password-protected Zip 
> files using [Zip4j|http://www.lingala.net/zip4j.html] and the same library 
> can be leveraged to support password-based encryption using either ZipCrypto 
> Standard encryption or AES encryption.
> Following the [Zip File Format 
> Specification|https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT] 
> Appendix E, Zip4J supports AES-CTR with key lengths of either 128 or 256, and 
> uses HMAC-SHA1 for PBKDF2.  [WinZip|http://www.winzip.com/aes_info.htm] 
> describes the implementation in more detail under the heading of AE-1 and 
> AE-2 specifications.  The Zip4j implementation also appears to limit 
> passwords to ISO-8859-1 characters, which should be checked during property 
> validation.
> ZipCrypto has [known security 
> flaws|https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption], which 
> should be at least mentioned in the property description.
> The implementation should introduce new optional properties for Encryption 
> Password and Encryption Method, listing ZipCrypto, AES-128-CTR and 
> AES-256-CTR as options.  The implementation should also write Flow File 
> attributes indicating the cryptographic algorithm used.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to