Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies
Because of US export regulations, default JVMs have limits imposed on the strength of cryptographic
operations available to them. For example, AES operations are limited to
128 bit keys by default. While AES-128 is
cryptographically safe, this can have unintended consequences, specifically on
Password-based Encryption (PBE).
PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.
A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.
| Algorithm | Max Password Length |
|---|---|
PBEWITHMD5AND128BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5AND192BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5AND256BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5ANDDES |
16 |
PBEWITHMD5ANDRC2 |
16 |
PBEWITHSHA1ANDRC2 |
16 |
PBEWITHSHA1ANDDES |
16 |
PBEWITHSHAAND128BITAES-CBC-BC |
7 |
PBEWITHSHAAND192BITAES-CBC-BC |
7 |
PBEWITHSHAAND256BITAES-CBC-BC |
7 |
PBEWITHSHAAND40BITRC2-CBC |
7 |
PBEWITHSHAAND128BITRC2-CBC |
7 |
PBEWITHSHAAND40BITRC4 |
7 |
PBEWITHSHAAND128BITRC4 |
7 |
PBEWITHSHA256AND128BITAES-CBC-BC |
7 |
PBEWITHSHA256AND192BITAES-CBC-BC |
7 |
PBEWITHSHA256AND256BITAES-CBC-BC |
7 |
PBEWITHSHAAND2-KEYTRIPLEDES-CBC |
7 |
PBEWITHSHAAND3-KEYTRIPLEDES-CBC |
7 |
PBEWITHSHAANDTWOFISH-CBC |
7 |
