[jira] [Commented] (HADOOP-10734) Implementation of true secure random with high performance using hardware random number generator.

Wed, 09 Jul 2014 18:45:27 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14057013#comment-14057013
 ] 

Andrew Wang commented on HADOOP-10734:
--------------------------------------

Hi Colin and Yi, do you mind expanding a bit more on these issues with 
/dev/urandom?

This source [1] indicates that initial seeding isn't really an issue unless 
you're cloning VMs, and even then you can fix it. I'm not sure who wrote that 
earlier blog, but crypto experts like DJB [2] and others [3] like urandom. The 
kernel also mixes in entropy from the chip, so if the Intel instructions are 
present, it's no less secure. The kernel also has additional entropy that 
OpenSSL in userspace doesn't have access to, so you'd think it'd be higher 
quality randomness.

When it comes to portability, FreeBSD/MacOS have /dev/urandom with very 
compatible behavior. Windows has its own APIs, but again, kernel-level 
randomness should be higher quality than anything we get from userspace 
(assuming that Windows mixes in chip randomness).

[1] http://www.2uo.de/myths-about-urandom/
[2] http://www.mail-archive.com/cryptography@randombit.net/msg04763.html
[3] http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

> Implementation of true secure random with high performance using hardware 
> random number generator.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10734
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10734
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>
>         Attachments: HADOOP-10734-fs-enc.004.patch, HADOOP-10734.1.patch, 
> HADOOP-10734.2.patch, HADOOP-10734.3.patch, HADOOP-10734.patch
>
>
> This JIRA is to implement Secure random using JNI to OpenSSL, and 
> implementation should be thread-safe.
> Utilize RdRand to return random numbers from hardware random number 
> generator. It's TRNG(True Random Number generators) having much higher 
> performance than {{java.security.SecureRandom}}. 
> https://wiki.openssl.org/index.php/Random_Numbers
> http://en.wikipedia.org/wiki/RdRand
> https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to