You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2017/01/21 00:47:26 UTC

[jira] [Commented] (KUDU-1843) Client UUIDs should be cryptographically random

    [ https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832681#comment-15832681 ] 

Todd Lipcon commented on KUDU-1843:
-----------------------------------

the fix seems to be to use the following:
{code}
 boost::uuids::basic_random_generator<boost::random_device> oid_generator_;
{code}
but that requires the boost libraries (not header-only). We're talking about building boost libraries in another context, so putting this on hold until they're available.

> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
>                 Key: KUDU-1843
>                 URL: https://issues.apache.org/jira/browse/KUDU-1843
>             Project: Kudu
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.3.0
>            Reporter: Todd Lipcon
>            Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not cryptographically random. This may increase the ease with which an attacker could guess another client's client ID, which would potentially allow them to perform DoS or try to steal the results of RPCs from the result cache.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)