Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies

Because of US export regulations, default JVMs have http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits available to them. For example, AES operations are limited to 128 bit keys by default. While AES-128 is cryptographically safe, this can have unintended consequences, specifically on Password-based Encryption (PBE).

PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.

A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.

Table 1. Maximum Password Length on Limited Cryptographic Strength JVM
Algorithm	Max Password Length
`PBEWITHMD5AND128BITAES-CBC-OPENSSL`	16
`PBEWITHMD5AND192BITAES-CBC-OPENSSL`	16
`PBEWITHMD5AND256BITAES-CBC-OPENSSL`	16
`PBEWITHMD5ANDDES`	16
`PBEWITHMD5ANDRC2`	16
`PBEWITHSHA1ANDRC2`	16
`PBEWITHSHA1ANDDES`	16
`PBEWITHSHAAND128BITAES-CBC-BC`	7
`PBEWITHSHAAND192BITAES-CBC-BC`	7
`PBEWITHSHAAND256BITAES-CBC-BC`	7
`PBEWITHSHAAND40BITRC2-CBC`	7
`PBEWITHSHAAND128BITRC2-CBC`	7
`PBEWITHSHAAND40BITRC4`	7
`PBEWITHSHAAND128BITRC4`	7
`PBEWITHSHA256AND128BITAES-CBC-BC`	7
`PBEWITHSHA256AND192BITAES-CBC-BC`	7
`PBEWITHSHA256AND256BITAES-CBC-BC`	7
`PBEWITHSHAAND2-KEYTRIPLEDES-CBC`	7
`PBEWITHSHAAND3-KEYTRIPLEDES-CBC`	7
`PBEWITHSHAANDTWOFISH-CBC`	7