Administration
Also available as:
PDF
loading table of contents...

Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies

Because of US export regulations, default JVMs have limits imposed on the strength of cryptographic operations available to them. For example, AES operations are limited to 128 bit keys by default. While AES-128 is cryptographically safe, this can have unintended consequences, specifically on Password-based Encryption (PBE).

PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.

A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.

Table 1.1. Table 1. Maximum Password Length on Limited Cryptographic Strength JVM

Algorithm

Max Password Length

PBEWITHMD5AND128BITAES-CBC-OPENSSL

16

PBEWITHMD5AND192BITAES-CBC-OPENSSL

16

PBEWITHMD5AND256BITAES-CBC-OPENSSL

16

PBEWITHMD5ANDDES

16

PBEWITHMD5ANDRC2

16

PBEWITHSHA1ANDRC2

16

PBEWITHSHA1ANDDES

16

PBEWITHSHAAND128BITAES-CBC-BC

7

PBEWITHSHAAND192BITAES-CBC-BC

7

PBEWITHSHAAND256BITAES-CBC-BC

7

PBEWITHSHAAND40BITRC2-CBC

7

PBEWITHSHAAND128BITRC2-CBC

7

PBEWITHSHAAND40BITRC4

7

PBEWITHSHAAND128BITRC4

7

PBEWITHSHA256AND128BITAES-CBC-BC

7

PBEWITHSHA256AND192BITAES-CBC-BC

7

PBEWITHSHA256AND256BITAES-CBC-BC

7

PBEWITHSHAAND2-KEYTRIPLEDES-CBC

7

PBEWITHSHAAND3-KEYTRIPLEDES-CBC

7

PBEWITHSHAANDTWOFISH-CBC

7