Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies

Because of US export regulations, default JVMs have http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits available to them. For example, AES operations are limited to 128 bit keys by default. While AES-128 is cryptographically safe, this can have unintended consequences, specifically on Password-based Encryption (PBE).

PBE is the process of deriving a cryptographic key for encryption or decryption from user-provided secret material, usually a password. Rather than a human remembering a (random-appearing) 32 or 64 character hexadecimal string, a password or passphrase is used.

A number of PBE algorithms provided by NiFi impose strict limits on the length of the password due to the underlying key length checks. Below is a table listing the maximum password length on a JVM with limited cryptographic strength.

Table 1. Table 1. Maximum Password Length on Limited Cryptographic Strength JVM
Algorithm Max Password Length
PBEWITHMD5AND128BITAES-CBC-OPENSSL 16
PBEWITHMD5AND192BITAES-CBC-OPENSSL 16
PBEWITHMD5AND256BITAES-CBC-OPENSSL 16
PBEWITHMD5ANDDES 16
PBEWITHMD5ANDRC2 16
PBEWITHSHA1ANDRC2 16
PBEWITHSHA1ANDDES 16
PBEWITHSHAAND128BITAES-CBC-BC 7
PBEWITHSHAAND192BITAES-CBC-BC 7
PBEWITHSHAAND256BITAES-CBC-BC 7
PBEWITHSHAAND40BITRC2-CBC 7
PBEWITHSHAAND128BITRC2-CBC 7
PBEWITHSHAAND40BITRC4 7
PBEWITHSHAAND128BITRC4 7
PBEWITHSHA256AND128BITAES-CBC-BC 7
PBEWITHSHA256AND192BITAES-CBC-BC 7
PBEWITHSHA256AND256BITAES-CBC-BC 7
PBEWITHSHAAND2-KEYTRIPLEDES-CBC 7
PBEWITHSHAAND3-KEYTRIPLEDES-CBC 7
PBEWITHSHAANDTWOFISH-CBC 7