Laserfiche introduces various new features and bug fixes with Laserfiche Workflow 11 Update 3.
Feature Enhancement:
- The cryptographic algorithm Workflow uses for encrypting stored credentials has been updated from TDEA (also known as TripleDES/3DES/TDES) to AES-256. All new workflows will use AES-256 encryption. Workflow will still decrypt data protected by older algorithms like TDEA and MD5, and will re-encrypt that data using AES-256 the next time the credentials are updated and the workflow is published or saved. Impacted credentials include but are not limited to: repository connection profiles, email server connections, web services connections, and PDFs with passwords configured.
- The update from TDEA to AES-256 primarily addresses compliance concerns, especially for government customers who must use FIPS 140-2 / 140-3 validated cryptography ("FIPS Mode") or otherwise adhere to NIST cryptography standards. Due to a block cipher collision attack against TDEA known as "Sweet32", NIST is sunsetting TDEA and will Disallow the algorithm for encryption after December 31, 2023. It will remain permitted for decryption after that date. See:
- Practical demonstrations of the Sweet32 attack have all involved encryption in-transit use cases such as VPNs and TLS. The security firm Sophos published an article titled Anatomy of a cryptographic collision - the "Sweet32" attack that provides a detailed breakdown of the attack, summarizing it as follows:
- "Sweet32 is a way to attack encrypted web connections by generating huge amounts (many gigabytes) of web traffic, in the hope that the encryption algorithm in use will eventually (and entirely by chance) leak a tiny bit of information about the traffic it's encrypting."
- Laserfiche used TDEA to encrypt very small amounts of data at-rest (a few kilobytes).
- Based on NIST guidance and other publicly available information about TDEA, Laserfiche assesses that the specific usage of TDEA within Laserfiche software is not vulnerable to any known attack against the algorithm.
- However, as NIST is Disallowing the algorithm for encryption after December 31, 2023 without use case exceptions, customers who must adhere to to NIST / FIPS cryptography standards should upgrade their Laserfiche software before the deadline.
- Per NIST, after that date "TDEA (TDEA) will continue to be allowed for the decryption, key unwrapping, and verification of MACs of already-protected data". This means NIST standards will allow continued use (decryption) of existing TDEA-encrypted connection profiles in Workflow. Any actions involving encrypting data, such as adding/updating a connection profile or publishing or saving a workflow would require the updated software to comply with NIST / FIPS standards.
- Laserfiche Quick Fields also used TDEA to encrypt connection profiles. Quick Fields 11 Update 3 included a similar update to move from TDEA to AES-256.
Bug fixes:
- Validation errors now display on the first attempt and erroneous publishing is no longer allowed when the Assign Field Value activity has a List type field. (398178)
- The "count" token tag is now similar to "integer" rather than "string". (410928)
- Waiting child workflows that complete after a server migration now notify the parent workflow they are complete. (417704)
- Attach Electronic Document activity now sets the MIME type correctly. (420280)
- The WFUser$ autogenerated password length has been increased to meet modern standards. (420764)
- Folder contents conditions using input parameter tokens can now correctly evaluate to true. (423917)
Schema Changes:
- The table "connection_profiles", column "password" has its type changed from nvarchar(64) to nvarchar(128).
- The stored procedure "insert_connection_profile" has its password parameter type changed from nvarchar(64) to nvarchar(128)
Laserfiche Workflow 11 Update 3 is available as part of the Laserfiche 11 package.