You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2015/04/20 19:21:59 UTC

[jira] [Created] (HBASE-13511) Derive data keys with HKDF

Andrew Purtell created HBASE-13511:
--------------------------------------

             Summary: Derive data keys with HKDF
                 Key: HBASE-13511
                 URL: https://issues.apache.org/jira/browse/HBASE-13511
             Project: HBase
          Issue Type: Sub-task
            Reporter: Andrew Purtell
            Assignee: Andrew Purtell
            Priority: Minor
             Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2


When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869)

DK' = HKDF(S, DK, MK)

where

S = salt
DK = user supplied data key
MK = master key

DK' = derived data key for the HFile

User supplied key material may be weak or an attacker may have some partial knowledge of it.

Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator. 

DK' = HKDF(R, MK)

where

R = random key material drawn from the system's secure random generator
MK = master key

(Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)