[ https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14057013#comment-14057013 ]
Andrew Wang commented on HADOOP-10734: -------------------------------------- Hi Colin and Yi, do you mind expanding a bit more on these issues with /dev/urandom? This source [1] indicates that initial seeding isn't really an issue unless you're cloning VMs, and even then you can fix it. I'm not sure who wrote that earlier blog, but crypto experts like DJB [2] and others [3] like urandom. The kernel also mixes in entropy from the chip, so if the Intel instructions are present, it's no less secure. The kernel also has additional entropy that OpenSSL in userspace doesn't have access to, so you'd think it'd be higher quality randomness. When it comes to portability, FreeBSD/MacOS have /dev/urandom with very compatible behavior. Windows has its own APIs, but again, kernel-level randomness should be higher quality than anything we get from userspace (assuming that Windows mixes in chip randomness). [1] http://www.2uo.de/myths-about-urandom/ [2] http://www.mail-archive.com/cryptography@randombit.net/msg04763.html [3] http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/ > Implementation of true secure random with high performance using hardware > random number generator. > -------------------------------------------------------------------------------------------------- > > Key: HADOOP-10734 > URL: https://issues.apache.org/jira/browse/HADOOP-10734 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134) > Reporter: Yi Liu > Assignee: Yi Liu > Fix For: fs-encryption (HADOOP-10150 and HDFS-6134) > > Attachments: HADOOP-10734-fs-enc.004.patch, HADOOP-10734.1.patch, > HADOOP-10734.2.patch, HADOOP-10734.3.patch, HADOOP-10734.patch > > > This JIRA is to implement Secure random using JNI to OpenSSL, and > implementation should be thread-safe. > Utilize RdRand to return random numbers from hardware random number > generator. It's TRNG(True Random Number generators) having much higher > performance than {{java.security.SecureRandom}}. > https://wiki.openssl.org/index.php/Random_Numbers > http://en.wikipedia.org/wiki/RdRand > https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl -- This message was sent by Atlassian JIRA (v6.2#6252)