Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies

Because of US export regulations, default JVMs have limits imposed on the strength of cryptographic operations available to them. For example, AES operations are limited to 128 bit keys by default. While AES-128 is cryptographically safe, this can have unintended consequences, specifically on Password-based Encryption (PBE).

PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.

A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.

Table 1. Table 1. Maximum Password Length on Limited Cryptographic Strength JVM
Algorithm Max Password Length
PBEWITHMD5AND128BITAES-CBC-OPENSSL 16
PBEWITHMD5AND192BITAES-CBC-OPENSSL 16
PBEWITHMD5AND256BITAES-CBC-OPENSSL 16
PBEWITHMD5ANDDES 16
PBEWITHMD5ANDRC2 16
PBEWITHSHA1ANDRC2 16
PBEWITHSHA1ANDDES 16
PBEWITHSHAAND128BITAES-CBC-BC 7
PBEWITHSHAAND192BITAES-CBC-BC 7
PBEWITHSHAAND256BITAES-CBC-BC 7
PBEWITHSHAAND40BITRC2-CBC 7
PBEWITHSHAAND128BITRC2-CBC 7
PBEWITHSHAAND40BITRC4 7
PBEWITHSHAAND128BITRC4 7
PBEWITHSHA256AND128BITAES-CBC-BC 7
PBEWITHSHA256AND192BITAES-CBC-BC 7
PBEWITHSHA256AND256BITAES-CBC-BC 7
PBEWITHSHAAND2-KEYTRIPLEDES-CBC 7
PBEWITHSHAAND3-KEYTRIPLEDES-CBC 7
PBEWITHSHAANDTWOFISH-CBC 7