impala-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bikramjeet Vig (Code Review)" <ger...@cloudera.org>
Subject [Impala-ASF-CR] IMPALA-6128: Spill-to-disk Encryption(AES-CFB + SHA256) is slow CFB mode is stream cipher and is secure when use different nonce/IV for every message. However it would be a performance bottleneck. CTR mode is also stream cipher and is secure, 4~6x faster
Date Thu, 28 Dec 2017 00:53:44 GMT
Bikramjeet Vig has posted comments on this change. ( http://gerrit.cloudera.org:8080/8861 )

Change subject: IMPALA-6128: Spill-to-disk Encryption(AES-CFB + SHA256) is slow CFB mode is
stream cipher and is secure when use different nonce/IV for every message. However it would
be a performance bottleneck. CTR mode is also stream cipher and is secure, 4~6x faster 
......................................................................


Patch Set 2:

(11 comments)

http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG
Commit Message:

http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@7
PS2, Line 7: Spill-to-disk Encryption(AES-CFB + SHA256) is slow
nit, how about this?:
Add support for AES-CTR encryption when spilling to disk


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@8
PS2, Line 8:  
nit:
is a stream


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@8
PS2, Line 8: use
nit: used with a


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@9
PS2, Line 9: would
nit: can


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@14
PS2, Line 14: CTR mode is used if OpenSSL version>=1.0.1 at runtime, otherwise
nit,add:
With this patch


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@15
PS2, Line 15:  
nit: using


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@18
PS2, Line 18: run runtime tmp-file-mgr-test, openssl-util-test, buffer-pool-test and buffered-tuple-stream-test
nit: long line, wrap around after 72 characters.


http://gerrit.cloudera.org:8080/#/c/8861/2//COMMIT_MSG@19
PS2, Line 19: 
please also mention that you added a test that tests encryption in both modes


http://gerrit.cloudera.org:8080/#/c/8861/2/be/src/util/openssl-util.h
File be/src/util/openssl-util.h:

http://gerrit.cloudera.org:8080/#/c/8861/2/be/src/util/openssl-util.h@59
PS2, Line 59: CTR/CFB
maybe add a line explaining when each mode is used.


http://gerrit.cloudera.org:8080/#/c/8861/2/be/src/util/openssl-util.h@89
PS2, Line 89: Maybe
nit, add:
Currently used only for testing but


http://gerrit.cloudera.org:8080/#/c/8861/2/be/src/util/openssl-util.cc
File be/src/util/openssl-util.cc:

http://gerrit.cloudera.org:8080/#/c/8861/2/be/src/util/openssl-util.cc@104
PS2, Line 104:  
nit:
either CTR or CFB(stream cipher), both of which support arbitrary length ciphertexts - it
doesn't have to be a multiple of 16 bytes. Additionally, CTR mode is well-optimized(instruction
level parallelism) with hardware acceleration on x86 and PowerPC.



-- 
To view, visit http://gerrit.cloudera.org:8080/8861
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I9debc240615dd8cdbf00ec8730cff62ffef52aff
Gerrit-Change-Number: 8861
Gerrit-PatchSet: 2
Gerrit-Owner: Xianda Ke <kexianda@gmail.com>
Gerrit-Reviewer: Bikramjeet Vig <bikramjeet.vig@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sailesh@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <tarmstrong@cloudera.com>
Gerrit-Reviewer: Xianda Ke <kexianda@gmail.com>
Gerrit-Comment-Date: Thu, 28 Dec 2017 00:53:44 +0000
Gerrit-HasComments: Yes

Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message