Nothing wrong about using MD5 for that from FIPS point of view, but we want to deploy with FIPS 140-2 mode enabled using only RSA security providers. With this settings it is not possible to use MD5.
On Fri, Jul 22, 2016 at 8:49 PM, Shikhar Bhushan <shik...@confluent.io> wrote: > Not sure I understand the motivation to use a FIPS-compliant hash function > for log compaction -- what are the security ramifications? > > On Fri, Jul 22, 2016 at 2:56 PM Luciano Afranllie < > listas.luaf...@gmail.com> > wrote: > > > A little bit of background first. > > > > We are trying to make a deployment of Kafka that is FIPS 140-2 ( > > https://en.wikipedia.org/wiki/FIPS_140-2) complaint and one of the > > requirements is not to use MD5. > > > > As far as we could see, Kafka is using MD5 only to hash message keys in a > > offset map (SkimpyOffsetMap) used by the log cleaner. So, we are planning > > to change the hash algorithm to something allowed by FIPS. > > > > With this in mind we are thinking that it would be great if we can add a > > config property LogCleanerHashAlgorithmProp = > "log.cleaner.hash.algorithm" > > with a default value equal to "MD5" and use it in the constructor > > of CleanerConfig. In that case in future versions of Kafka we can just > > change the value of this property. > > > > Please let me know if you are Ok with this change. > > It is enough to create a pull request for this? Should I create a Jira > > first? > > > > Regards > > Luciano > > > > On Fri, Jul 22, 2016 at 5:58 PM, Luciano Afranllie < > > listas.luaf...@gmail.com > > > wrote: > > > > > Hi > > > > > > We are evaluating to change the hash algorithm used by the > > SkimpyOffsetMap > > > used by the LogCleaner from MD5 to SHA-1. > > > > > > Besides the impact in performance (more memory, more cpu usage) is > there > > > anything that may be impacted? > > > > > > Regards > > > Luciano > > > > > >
