[jira] [Updated] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy LoPresto updated NIFI-3367:
Resolution: Fixed
Fix Version/s: 1.6.0
Status: Resolved (was: Patch Available)
A minimum length check of 16 bytes is enforced on the token. The rate limiting
was not implemented.
> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
> Issue Type: Bug
> Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
> Labels: security, tls-toolkit
> Fix For: 1.6.0
>
>
> The TLS Toolkit uses a shared secret "token" when running in client/server
> mode in order to perform pre-authentication when requesting a signed
> certificate from the CA. There is a validation that this token is *required*,
> but not that it is of a certain length. Because the HMAC construction is
> available in the source code, the process could easily be brute-forced if the
> token value is short. We should enforce a minimum length of 16 bytes
> (regardless if read from {{config.json}} or provided via command line).
> We may also want to add exponential rate-limiting on failed HMAC values for
> the same requested public key DN in order to mitigate malicious requests.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[
https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy LoPresto updated NIFI-3367:
Status: Patch Available (was: In Progress)
Lori Buettner contributed two commits which enforce a minimum length on the
token and added/fixed existing unit tests to demonstrate this.
> TLS Toolkit should enforce minimum length restriction on CA token
> -
>
> Key: NIFI-3367
> URL: https://issues.apache.org/jira/browse/NIFI-3367
> Project: Apache NiFi
> Issue Type: Bug
> Components: Tools and Build
>Affects Versions: 1.1.1
>Reporter: Andy LoPresto
>Assignee: Andy LoPresto
>Priority: Major
> Labels: security, tls-toolkit
>
> The TLS Toolkit uses a shared secret "token" when running in client/server
> mode in order to perform pre-authentication when requesting a signed
> certificate from the CA. There is a validation that this token is *required*,
> but not that it is of a certain length. Because the HMAC construction is
> available in the source code, the process could easily be brute-forced if the
> token value is short. We should enforce a minimum length of 16 bytes
> (regardless if read from {{config.json}} or provided via command line).
> We may also want to add exponential rate-limiting on failed HMAC values for
> the same requested public key DN in order to mitigate malicious requests.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
