hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uma Maheswara Rao G (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Deleted] (HADOOP-10734) Implementation of true secure random with high performance using hardware random number generator.
Date Thu, 03 Jul 2014 03:43:25 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Uma Maheswara Rao G updated HADOOP-10734:

    Comment: was deleted

(was: [~cmccabe], thank you for the review. I update the patch based on your new comments
and the discussion which we talked offline.
I guess my question here is, if I compile against openssl 1.0.0 and run against 1.0.1, does
AES-CTR work? My understanding is that it does. So we should not fail the build just because
the compiler has version 1.0.0.
In the new patch, I remove openssl version (1.0.0 or 1.0.1) check in CMakeLists.txt, now it
can be compiled against openssl 1.0.0 and run against 1.0.1.

As we talked about, we should fail the tests when buildSupportsOpenssl is true but openssl
is not working (that way, we will know we have a configuration problem on Jenkins or any other
build system.)
Yes, this has been included. 

Specifically, we should call const char *SSLeay_version(int t); here and throw an exception
if the number is too low. We should not use the #define, since that is the version we compiled
with, which may not be the same as the version we're running with. (In fact, it rarely will
be the same, due to the security and export control difficulties associated with bundling

Basically dlsym for aes-ctr related symbols will fail if the Openssl version is not new enough,
so we don’t need to check the version specifically. And I refine the error message to:
{{Cannot find AES-CTR support, is your version of Openssl new enough?}}

> Implementation of true secure random with high performance using hardware random number
> --------------------------------------------------------------------------------------------------
>                 Key: HADOOP-10734
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10734
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>         Attachments: HADOOP-10734.patch
> This JIRA is to implement Secure random using JNI to OpenSSL, and implementation should
be thread-safe.
> Utilize RdRand to return random numbers from hardware random number generator. It's TRNG(True
Random Number generators) having much higher performance than {{java.security.SecureRandom}}.

> https://wiki.openssl.org/index.php/Random_Numbers
> http://en.wikipedia.org/wiki/RdRand
> https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl

This message was sent by Atlassian JIRA

View raw message