[jira] [Commented] (NIFI-13424) Switch to EdDSA Signing for Application Bearer Tokens

Fri, 21 Jun 2024 05:50:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856759#comment-17856759
 ] 

ASF subversion and git services commented on NIFI-13424:
--------------------------------------------------------

Commit 14b1776739e5a1a6ca55854856341c51ce826762 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=14b1776739 ]

NIFI-13424 Switched to EdDSA for Application Bearer Tokens (#8986)

- Replaced PS512 algorithm based on RSASSA-PSS with EdDSA algorithm using 
Ed25519
- Added Ed25519 Signer and Verifier implementations based on Java Signature 
processing

This closes #8986 

> Switch to EdDSA Signing for Application Bearer Tokens
> -----------------------------------------------------
>
>                 Key: NIFI-13424
>                 URL: https://issues.apache.org/jira/browse/NIFI-13424
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>
> NiFi 1.15.0 introduced refactored Application Bearer Token signing and 
> verification using {{PS512}} based on an RSA Signature Scheme with SHA-512 
> hashing. This implementation provided strong security with a key size of 4096 
> bits. The RSA implementation also enabled broad compatibility across Java 
> versions.
> [JEP 339|https://openjdk.org/jeps/339] introduced support for the 
> Edwards-Curve Digital Signature Algorithm in Java 15. EdDSA and the 
> {{Ed25519}} instantiation provide high-performance signing and verification 
> using Elliptic Curve Cryptography. [RFC 
> 8037|https://www.rfc-editor.org/rfc/rfc8037] defines {{EdDSA}} with 
> {{Ed25519}} as a supported algorithm for JSON Web Token signing.
> {{EdDSA}} provides as good or better security than {{PS512}} using smaller 
> keys and signatures. Application Bearer Tokens with {{PS512}} require at 
> least 1 KB in each HTTP request header, but tokens signed with {{EdDSA}} are 
> less than half that size.
> With Java 21 as the baseline version for NiFi, no additional libraries are 
> required to support {{EdDSA}} signing and verification. Based on the security 
> and size considerations, the web framework should be modified to use 
> {{EdDSA}} and {{Ed25519}} for token signing and verification.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to