Return-Path: 
 <dev-return-51519-apmail-hbase-dev-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-dev-archive@www.apache.org
Delivered-To: apmail-hbase-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 37E5717BF3
	for <apmail-hbase-dev-archive@www.apache.org>;
 Mon, 20 Apr 2015 17:22:00 +0000 (UTC)
Received: (qmail 87933 invoked by uid 500); 20 Apr 2015 17:21:59 -0000
Delivered-To: apmail-hbase-dev-archive@hbase.apache.org
Received: (qmail 87814 invoked by uid 500); 20 Apr 2015 17:21:59 -0000
Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hbase.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hbase.apache.org>
List-Post: <mailto:dev@hbase.apache.org>
List-Id: <dev.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list dev@hbase.apache.org
Received: (qmail 87525 invoked by uid 99); 20 Apr 2015 17:21:59 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Apr 2015 17:21:59 +0000
Date: Mon, 20 Apr 2015 17:21:59 +0000 (UTC)
From: "Andrew Purtell (JIRA)" <jira@apache.org>
To: dev@hbase.apache.org
Message-ID: <JIRA.12822387.1429550480000.49323.1429550519227@Atlassian.JIRA>
In-Reply-To: <JIRA.12822387.1429550480000@Atlassian.JIRA>
References: <JIRA.12822387.1429550480000@Atlassian.JIRA>
 <JIRA.12822387.1429550480226@arcas>
Subject: [jira] [Created] (HBASE-13511) Derive data keys with HKDF
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Andrew Purtell created HBASE-13511:
--------------------------------------

             Summary: Derive data keys with HKDF
                 Key: HBASE-13511
                 URL: https://issues.apache.org/jira/browse/HBASE-13511
             Project: HBase
          Issue Type: Sub-task
            Reporter: Andrew Purtell
            Assignee: Andrew Purtell
            Priority: Minor
             Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2


When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869)

DK' = HKDF(S, DK, MK)

where

S = salt
DK = user supplied data key
MK = master key

DK' = derived data key for the HFile

User supplied key material may be weak or an attacker may have some partial knowledge of it.

Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. 

DK' = HKDF(R, MK)

where

R = random key material drawn from the system's secure random generator
MK = master key

(Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)