hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14246) Authentication Tokens should use SecureRandom instead of Random and 256 bit secrets
Date Wed, 29 Mar 2017 20:39:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947846#comment-15947846
] 

Robert Kanter commented on HADOOP-14246:
----------------------------------------

I did some more playing around with this, and it turns out we've actually been using variable
length secrets this whole time.  The old code
{code:java}
Long.toString(rand.nextLong()).getBytes(Charset.forName("UTF-8"));
{code}
varies in length.  It seems to usually be 20 bytes (160 bits) but I've also seen it be 19
bytes (152 bits).  
So it turns out we've been testing this for a long time :)

> Authentication Tokens should use SecureRandom instead of Random and 256 bit secrets
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-14246
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14246
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.9.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: HADOOP-14246.001.patch
>
>
> {{RandomSignerSecretProvider}} and {{ZKSignerSecretProvider}} currently use a {{long}}
generated by {{Random}} (which is then converted to a {{String}} and is 160 bits) for secrets.
 
> We should improve this to use 256 bit secrets generated by {{SecureRandom}}.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message