[jira] [Updated] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3367: Resolution: Fixed Fix Version/s: 1.6.0 Status: Resolved (was: Patch Available) A minimum length check of 16 bytes is enforced on the token. The rate limiting was not implemented. > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > Fix For: 1.6.0 > > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (NIFI-3367) TLS Toolkit should enforce minimum length restriction on CA token
[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3367: Status: Patch Available (was: In Progress) Lori Buettner contributed two commits which enforce a minimum length on the token and added/fixed existing unit tests to demonstrate this. > TLS Toolkit should enforce minimum length restriction on CA token > - > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build >Affects Versions: 1.1.1 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)