hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yi Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10734) Implementation of true secure random with high performance using hardware random number generator.
Date Thu, 03 Jul 2014 13:14:26 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051427#comment-14051427
] 

Yi Liu commented on HADOOP-10734:
---------------------------------

Thanks [~cmccabe], [~apurtell], [~andrew.wang] for the comments.

I summarize several ways to generate secure random in linux, and why RdRand.

*  /dev/random, it uses an entropy pool of several entropy sources, such as mouse movement,
keyboard type and so on. If entropy pool is empty, reads to /dev/random will be blocked until
additional environment noise is gathered. 
    RdRand is used to improve the entropy by combining the values received from RdRand with
other sources of randomness.
    The reason of the combining way is some developers concern there may be back doors in
RdRand, but it’s not true.
*  /dev/urandom, it reuses the internal entropy pool and will return as many random bytes
as requested. The call will not block, and the outpout may contain less entropy than the corresponding
read from /dev/random. If the entropy pool is empty, it will generate data using SHA or other
algorithms.
* In java, new SecureRandom(), will read bytes from /dev/urandom and do {{xor}} with bytes
from java SHA1PRNG. 
* RdRand, hardware generator. In Openssl, it’s recommended to use hardware generators, it
says their entropy is always nearly 100%. We can use RdRand directly.

So we can see, option 4, the RdRand is faster than others and the entropy is nearly 100%.

http://en.wikipedia.org/wiki/RdRand
http://wiki.openssl.org/index.php/Random_Numbers
http://en.wikipedia.org/?title=/dev/random
http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html


> Implementation of true secure random with high performance using hardware random number
generator.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10734
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10734
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>
>         Attachments: HADOOP-10734.patch
>
>
> This JIRA is to implement Secure random using JNI to OpenSSL, and implementation should
be thread-safe.
> Utilize RdRand to return random numbers from hardware random number generator. It's TRNG(True
Random Number generators) having much higher performance than {{java.security.SecureRandom}}.

> https://wiki.openssl.org/index.php/Random_Numbers
> http://en.wikipedia.org/wiki/RdRand
> https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message