hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6737) DFSClient should use IV generated based on the configured CipherSuite with codecs used
Date Thu, 24 Jul 2014 23:13:38 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14073813#comment-14073813
] 

Andrew Wang commented on HDFS-6737:
-----------------------------------

Hi Uma, good points here. I chatted with [~tucu00] about this, here's how it works right now:

- Each encryption zone has an ezKey of some size. generateEncryptedKey hardcodes usage of
AES/CTR/NoPadding, which means a 16B IV.
- When generating a new encrypted key, it has the same keySize as the ezKey and same IV size
as the hardcoded AES/CTR/NoPadding
- All AES algorithms uses a 16B IV, so we're find as long as the DEK is always AES too (okay
limitation)
- We don't foresee switching the hardcoded AES/CTR/NoPadding, so don't need to pass a CipherSuite
into generate/decryptEncryptedKey
- Enforcing that the ezKey and DEK need to have the same keySize is not great, but tucu thinks
it's a reasonable limitation. If a user wants to change the keysize, they need to make a new
EZ with a bigger ezKey and copy everything there.
- You can still use whatever AES algorithm you want for the actual data encryption, which
is what the per-file CipherSuite specifies.

I find this pretty complicated, so is definitely something we need to put in the user documentation.
createEncryptionZone also seems like it needs a way of specifying the key size, but we could
do that when we actually support AES-256. Do you think we need any other improvements? We
could try to improve how things are modeled in CipherSuite (since we depend on the block size
being 16B), but maybe it's okay as is.

> DFSClient should use IV generated based on the configured CipherSuite with codecs used
> --------------------------------------------------------------------------------------
>
>                 Key: HDFS-6737
>                 URL: https://issues.apache.org/jira/browse/HDFS-6737
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: hdfs-client
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Uma Maheswara Rao G
>            Assignee: Uma Maheswara Rao G
>         Attachments: HDFS-6737.patch
>
>
> Seems like we are using IV as like Encrypted data encryption key iv. But the underlying
Codec's cipher suite may expect different iv length. So, we should generate IV from the Coec's
cipher suite configured.
> {code}
>  final CryptoInputStream cryptoIn =
>           new CryptoInputStream(dfsis, CryptoCodec.getInstance(conf, 
>               feInfo.getCipherSuite()), feInfo.getEncryptedDataEncryptionKey(),
>               feInfo.getIV());
> {code}
> So, instead of using feinfo.getIV(), we should generate like
> {code}
> byte[] iv = new byte[codec.getCipherSuite().getAlgorithmBlockSize()]; 
> codec.generateSecureRandom(iv);
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message