You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2019/08/02 21:49:00 UTC

[jira] [Created] (HADOOP-16486) Hadoop Credential Provider to support more secure key store types

Wei-Chiu Chuang created HADOOP-16486:
----------------------------------------

             Summary: Hadoop Credential Provider to support more secure key store types
                 Key: HADOOP-16486
                 URL: https://issues.apache.org/jira/browse/HADOOP-16486
             Project: Hadoop Common
          Issue Type: Improvement
            Reporter: Wei-Chiu Chuang


Hadoop CredentialProvider API uses JCEKS key type.
 JCEKS uses 3DES encryption, which is deprecated by NIST last year on July 19, 2018.

This is not desirable for more security sensitive users. I would like to propose to make Hadoop CP support more key types, like PKCS12. In fact, PKCS12 is the default since JDK9 [2]. PKCS12 is the recommended key type since JDK 8u151 [3]

Looking at Java's documentation [4][5], it looks like JCE does support other key types, so we can start by making it configurable in the Hadoop code [here|https://github.com/apache/hadoop/blob/a55d6bba71c81c1c4e9d8cd11f55c78f10a548b0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java#L318].

 

To make it work, it'll probably require more than this change. For example, migrating existing keys to the new key type. File this Jira to get started.

References:
 [1] [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA]
 [2] [https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to-pkcs12]

[3][https://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html]
 [4] [https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore]
 [5] [https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation]



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org