hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Yoder (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6134) Transparent data at rest encryption
Date Fri, 20 Jun 2014 16:49:27 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14039014#comment-14039014
] 

Mike Yoder commented on HDFS-6134:
----------------------------------

[~hitliuyi] - regarding your first point - it's actually worse than that.  Have a look at
http://en.wikipedia.org/wiki/Stream_cipher_attack.  The attack is to xor C1 and C2.  Doing
the math, 
{noformat}
C1 xor C2 = P1 xor F(Key,IV) xor P2 xor F(Key,IV)
F(Key,IV) xor F(Key,IV) = 0
so
C1 xor C2 = P1 xor P2
{noformat}
xoring two plaintexts together is actually really easy to crack.  As an example, have a look
at the images here for an example - the author xors two images together to get a third image,
which has both plainly visible: http://stackoverflow.com/questions/8504882/searching-for-a-way-to-do-bitwise-xor-on-images

Regarding point 2 - quite happy you agree.  This is what ecryptfs does; it's a good model.

> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: ConceptualDesignProposal_2014-06-19.pdf, HDFSDataAtRestEncryption.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive data at rest
must be in encrypted form. For example: the health­care industry (HIPAA regulations), the
card payment industry (PCI DSS regulations) or the US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can be used transparently
by any application accessing HDFS via Hadoop Filesystem Java API, Hadoop libhdfs C library,
or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with different regulation
requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message