[
https://issues.apache.org/jira/browse/NIFI-13424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-13424:
------------------------------------
Status: Patch Available (was: Open)
> Switch to EdDSA Signing for Application Bearer Tokens
> -----------------------------------------------------
>
> Key: NIFI-13424
> URL: https://issues.apache.org/jira/browse/NIFI-13424
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
>
> NiFi 1.15.0 introduced refactored Application Bearer Token signing and
> verification using {{PS512}} based on an RSA Signature Scheme with SHA-512
> hashing. This implementation provided strong security with a key size of 4096
> bits. The RSA implementation also enabled broad compatibility across Java
> versions.
> [JEP 339|https://openjdk.org/jeps/339] introduced support for the
> Edwards-Curve Digital Signature Algorithm in Java 15. EdDSA and the
> {{Ed25519}} instantiation provide high-performance signing and verification
> using Elliptic Curve Cryptography. [RFC
> 8037|https://www.rfc-editor.org/rfc/rfc8037] defines {{EdDSA}} with
> {{Ed25519}} as a supported algorithm for JSON Web Token signing.
> {{EdDSA}} provides as good or better security than {{PS512}} using smaller
> keys and signatures. Application Bearer Tokens with {{PS512}} require at
> least 1 KB in each HTTP request header, but tokens signed with {{EdDSA}} are
> less than half that size.
> With Java 21 as the baseline version for NiFi, no additional libraries are
> required to support {{EdDSA}} signing and verification. Based on the security
> and size considerations, the web framework should be modified to use
> {{EdDSA}} and {{Ed25519}} for token signing and verification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
