You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2015/04/20 19:21:59 UTC
[jira] [Created] (HBASE-13511) Derive data keys with HKDF
Andrew Purtell created HBASE-13511:
--------------------------------------
Summary: Derive data keys with HKDF
Key: HBASE-13511
URL: https://issues.apache.org/jira/browse/HBASE-13511
Project: HBase
Issue Type: Sub-task
Reporter: Andrew Purtell
Assignee: Andrew Purtell
Priority: Minor
Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2
When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869)
DK' = HKDF(S, DK, MK)
where
S = salt
DK = user supplied data key
MK = master key
DK' = derived data key for the HFile
User supplied key material may be weak or an attacker may have some partial knowledge of it.
Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator.
DK' = HKDF(R, MK)
where
R = random key material drawn from the system's secure random generator
MK = master key
(Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)