nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (NIFI-1259) Provide keyed symmetric encryption capability
Date Fri, 05 Feb 2016 00:41:39 GMT


ASF subversion and git services commented on NIFI-1259:

Commit 498b5023ce4f99e67184f399de740b142fca510d in nifi's branch refs/heads/master from [~alopresto]
[;h=498b502 ]

NIFI-1257 NIFI-1259

Added utility method to return the maximum acceptable password length for PBE ciphers on JVM
with limited strength crypto because BC implementation is undocumented (based on empirical
Updated EncryptionMethod definitions to accurately reflect need for unlimited strength crypto
according to algorithm key length.
Added processor logic to invoke keyed cipher.
Added EncryptContent processor property for raw hex key (always visible until NIFI-1121).
Added validations for KDF (keyed and PBE) and hex key.
Added utility method to return list of valid key lengths for algorithm.
Added description to allowable values for KDF and encryption method in EncryptContent processor.
Added IV read/write to KeyedCipherProvider and changed from interface to abstract class.
Added salt read/write logic to NifiLegacy and OpenSSL cipher providers.
Changed RandomIVPBECipherProvider from interface to abstract class.
Updated strong KDF implementations.
Renamed CipherFactory to CipherProviderFactory.
Added unit test for registered KDF resolution from factory.
Updated default iteration count for PBKDF2 cipher provider.
Implemented Scrypt cipher provider.
Added salt translator from mcrypt format to Java format.
Added unit tests for salt formatting and validation.
Added surefire block to groovy unit test profile to enforce 3072 MB heap for Scrypt test.
Added local Java implementation of Scrypt KDF (and underlying PBKDF2 KDF) from Will Glozer.
Defined interface for KeyedCipherProvider.
Implemented AES implementation for KeyedCipherProvider.
Added Ruby script to test/resources for external compatibility check.
Added key length check to PBKDF2 cipher provider.
Changed default PRF to SHA-512.
Added salt and key length check to PBKDF2 cipher provider.
Added utility method to check key length validity for cipher families.
Added Bcrypt implementation.
Implemented PBKDF2 cipher provider.
Added default constructor with strong choices for PBKDF2 cipher provider.
Implemented NiFiLegacyCipherProvider and added unit tests.
Added key length parameter to PBKDF2 cipher provider.
Added PRF resolution to PBKDF2 cipher provider.
Added RandomIVPBECipherProvider to allow for non-deterministic IVs.
Added new keyed encryption methods and added boolean field for compatibility with new KDFs.
Added CipherFactory.
Improved Javadoc in NiFi legacy cipher provider and OpenSSL cipher provider.
Added KeyedCipherProvider interface.
Added OpenSSL PKCS#5 v1.5 EVP_BytesToKey cipher provider and unit test.

This closes #201.

Signed-off-by: Aldrin Piri <>

> Provide keyed symmetric encryption capability
> ---------------------------------------------
>                 Key: NIFI-1259
>                 URL:
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.4.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: encryption, security
>             Fix For: 0.5.0
> Currently the only symmetric encryption/decryption capability in EncryptContent processor
is via password-based encryption (PBE). We should add support for key-based encryption. This
is far more common in systems communication that are not reading from/writing to "human-protected"
data where password memorization is important. 
> I recommend providing AES/CBC/PKCS5Padding with 128, 192, and 256 bit keys as well as
AES/GCM/NoPadding with the same key sizes for authenticated encryption with associated data
(AEAD) capabilities. 

This message was sent by Atlassian JIRA

View raw message