David Handermann created NIFI-13424:
---------------------------------------
Summary: Switch to EdDSA Signing for Application Bearer Tokens
Key: NIFI-13424
URL: https://issues.apache.org/jira/browse/NIFI-13424
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
NiFi 1.15.0 introduced refactored Application Bearer Token signing and
verification using {{PS512}} based on an RSA Signature Scheme with SHA-512
hashing. This implementation provided strong security with a key size of 4096
bits. The RSA implementation also enabled broad compatibility across Java
versions.
[JEP 339|https://openjdk.org/jeps/339] introduced support for the Edwards-Curve
Digital Signature Algorithm in Java 15. EdDSA and the {{Ed25519}} instantiation
provide high-performance signing and verification using Elliptic Curve
Cryptography. [RFC 8037|https://www.rfc-editor.org/rfc/rfc8037] defines
{{EdDSA}} with {{Ed25519}} as a supported algorithm for JSON Web Token signing.
{{EdDSA}} provides as good or better security than {{PS512}} using smaller keys
and signatures. Application Bearer Tokens with {{PS512}} require at least 1 KB
in each HTTP request header, but tokens signed with {{EdDSA}} are less than
half that size.
With Java 21 as the baseline version for NiFi, no additional libraries are
required to support {{EdDSA}} signing and verification. Based on the security
and size considerations, the web framework should be modified to use {{EdDSA}}
and {{Ed25519}} for token signing and verification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
