[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] stack updated HBASE-13511: -- Fix Version/s: (was: 2.0.0) > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Priority: Minor > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.21) (was: 1.3.0) > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Assignee: (was: Andrew Purtell) > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Priority: Minor > Fix For: 2.0.0 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.20) 0.98.21 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 0.98.21 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.19) 0.98.20 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 0.98.20 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.18) 0.98.19 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 0.98.19 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 1.0.4) (was: 0.98.17) (was: 1.1.4) (was: 1.2.1) 0.98.18 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 0.98.18 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 1.0.3) 1.0.4 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 1.2.1, 1.1.4, 0.98.17, 1.0.4 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.16) 0.98.17 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 1.2.1, 1.0.3, 1.1.4, 0.98.17 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.15) 0.98.16 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 1.2.1, 1.0.3, 0.98.16, 1.1.4 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Dimiduk updated HBASE-13511: - Fix Version/s: (was: 1.1.3) 1.1.4 > Derive data keys with HKDF > -- > > Key: HBASE-13511 > URL: https://issues.apache.org/jira/browse/HBASE-13511 > Project: HBase > Issue Type: Sub-task > Components: encryption, security >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Minor > Fix For: 2.0.0, 1.3.0, 0.98.15, 1.2.1, 1.0.3, 1.1.4 > > > When we are locally managing master key material, when users have supplied > their own data key material, derive the actual data keys using HKDF > (https://tools.ietf.org/html/rfc5869) > DK' = HKDF(S, DK, MK) > where > S = salt > DK = user supplied data key > MK = master key > DK' = derived data key for the HFile > User supplied key material may be weak or an attacker may have some partial > knowledge of it. > Where we generate random data keys we can still use HKDF as a way to mix more > entropy into the secure random generator. > DK' = HKDF(R, MK) > where > R = random key material drawn from the system's secure random generator > MK = master key > (Salting isn't useful here because salt S and R would be drawn from the same > pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.14) 0.98.15 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 1.3.0, 0.98.15, 1.2.1, 1.0.3, 1.1.3 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Dimiduk updated HBASE-13511: - Fix Version/s: (was: 1.1.2) 1.1.3 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.14, 1.3.0, 1.2.1, 1.0.3, 1.1.3 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Enis Soztutar updated HBASE-13511: -- Fix Version/s: (was: 1.0.2) 1.0.3 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.14, 1.1.2, 1.3.0, 1.2.1, 1.0.3 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sean Busbey updated HBASE-13511: Fix Version/s: (was: 1.2.0) 1.2.1 1.3.0 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.14, 1.0.2, 1.1.2, 1.3.0, 1.2.1 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Dimiduk updated HBASE-13511: - Fix Version/s: (was: 1.1.1) 1.1.2 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.14, 1.0.2, 1.2.0, 1.1.2 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Fix Version/s: (was: 0.98.13) 0.98.14 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.14, 1.0.2, 1.2.0, 1.1.1 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Dimiduk updated HBASE-13511: - Fix Version/s: (was: 1.1.0) 1.1.1 1.2.0 Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 0.98.13, 1.0.2, 1.2.0, 1.1.1 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Description: When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) was: When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Salt S doesn't need to be secret and can be stored with the derived data key. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-13511) Derive data keys with HKDF
[ https://issues.apache.org/jira/browse/HBASE-13511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-13511: --- Description: When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Salt S doesn't need to be secret and can be stored with the derived data key. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) was: When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) Derive data keys with HKDF -- Key: HBASE-13511 URL: https://issues.apache.org/jira/browse/HBASE-13511 Project: HBase Issue Type: Sub-task Components: encryption, security Reporter: Andrew Purtell Assignee: Andrew Purtell Priority: Minor Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2 When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869) DK' = HKDF(S, DK, MK) where S = salt DK = user supplied data key MK = master key DK' = derived data key for the HFile User supplied key material may be weak or an attacker may have some partial knowledge of it. Salt S doesn't need to be secret and can be stored with the derived data key. Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. DK' = HKDF(R, MK) where R = random key material drawn from the system's secure random generator MK = master key (Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
