Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies
Because of US export regulations, default JVMs have http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits available to them. For example, AES operations are limited to 128 bit keys
by default. While AES-128
is cryptographically safe, this can have unintended consequences, specifically on Password-based Encryption (PBE).
PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.
A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.
Algorithm | Max Password Length |
---|---|
PBEWITHMD5AND128BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5AND192BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5AND256BITAES-CBC-OPENSSL |
16 |
PBEWITHMD5ANDDES |
16 |
PBEWITHMD5ANDRC2 |
16 |
PBEWITHSHA1ANDRC2 |
16 |
PBEWITHSHA1ANDDES |
16 |
PBEWITHSHAAND128BITAES-CBC-BC |
7 |
PBEWITHSHAAND192BITAES-CBC-BC |
7 |
PBEWITHSHAAND256BITAES-CBC-BC |
7 |
PBEWITHSHAAND40BITRC2-CBC |
7 |
PBEWITHSHAAND128BITRC2-CBC |
7 |
PBEWITHSHAAND40BITRC4 |
7 |
PBEWITHSHAAND128BITRC4 |
7 |
PBEWITHSHA256AND128BITAES-CBC-BC |
7 |
PBEWITHSHA256AND192BITAES-CBC-BC |
7 |
PBEWITHSHA256AND256BITAES-CBC-BC |
7 |
PBEWITHSHAAND2-KEYTRIPLEDES-CBC |
7 |
PBEWITHSHAAND3-KEYTRIPLEDES-CBC |
7 |
PBEWITHSHAANDTWOFISH-CBC |
7 |