[jira] [Commented] (HADOOP-10734) Implementation of true secure random with high performance using hardware random number generator.

Fri, 11 Jul 2014 17:15:28 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14059536#comment-14059536
 ] 

Mike Yoder commented on HADOOP-10734:
-------------------------------------

[~andrew.wang] - RDRAND does indeed use SP 800-90 internally, which is good... 
but it's more convoluted than that.  "Meets standards such as \[blah blah 
blah]" is not the same as "you can actually be validated under FIPS or Common 
Criteria using this thing".  Meeting those standards is the first step, jumping 
through other arbitrary hoops is the second. :-)

Support for the rdrand instruction is not in the latest openssl fips code 
(openssl-fips-2.0.7 - it's actually a separate code fork for significant parts 
of openssl).  So one could not use a FIPS-compliant openssl library and use 
rdrand. 

Anyway, I'm not going to object on FIPS or crypto grounds.  What we have now is 
an entirely reasonable first step.


> Implementation of true secure random with high performance using hardware 
> random number generator.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10734
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10734
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>
>         Attachments: HADOOP-10734-fs-enc.004.patch, HADOOP-10734.1.patch, 
> HADOOP-10734.2.patch, HADOOP-10734.3.patch, HADOOP-10734.4.patch, 
> HADOOP-10734.patch
>
>
> This JIRA is to implement Secure random using JNI to OpenSSL, and 
> implementation should be thread-safe.
> Utilize RdRand to return random numbers from hardware random number 
> generator. It's TRNG(True Random Number generators) having much higher 
> performance than {{java.security.SecureRandom}}. 
> https://wiki.openssl.org/index.php/Random_Numbers
> http://en.wikipedia.org/wiki/RdRand
> https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to