Andrew Purtell created HBASE-13511:
--------------------------------------
Summary: Derive data keys with HKDF
Key: HBASE-13511
URL: https://issues.apache.org/jira/browse/HBASE-13511
Project: HBase
Issue Type: Sub-task
Reporter: Andrew Purtell
Assignee: Andrew Purtell
Priority: Minor
Fix For: 2.0.0, 1.1.0, 0.98.13, 1.0.2
When we are locally managing master key material, when users have supplied
their own data key material, derive the actual data keys using HKDF
(https://tools.ietf.org/html/rfc5869)
DK' = HKDF(S, DK, MK)
where
S = salt
DK = user supplied data key
MK = master key
DK' = derived data key for the HFile
User supplied key material may be weak or an attacker may have some partial
knowledge of it.
Where we generate random data keys we can still use HKDF as a way to mix more
entropy into the secure random generator.
DK' = HKDF(R, MK)
where
R = random key material drawn from the system's secure random generator
MK = master key
(Salting isn't useful here because salt S and R would be drawn from the same
pool, so will not have statistical independence.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
