Wei-Chiu Chuang created HADOOP-16486:
----------------------------------------
Summary: Hadoop Credential Provider to support more secure key
store types
Key: HADOOP-16486
URL: https://issues.apache.org/jira/browse/HADOOP-16486
Project: Hadoop Common
Issue Type: Improvement
Reporter: Wei-Chiu Chuang
Hadoop CredentialProvider API uses JCEKS key type.
JCEKS uses 3DES encryption, which is deprecated by NIST last year on July 19,
2018.
This is not desirable for more security sensitive users. I would like to
propose to make Hadoop CP support more key types, like PKCS12. In fact, PKCS12
is the default since JDK9 [2]. PKCS12 is the recommended key type since JDK
8u151 [3]
Looking at Java's documentation [4][5], it looks like JCE does support other
key types, so we can start by making it configurable in the Hadoop code
[here|https://github.com/apache/hadoop/blob/a55d6bba71c81c1c4e9d8cd11f55c78f10a548b0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java#L318].
To make it work, it'll probably require more than this change. For example,
migrating existing keys to the new key type. File this Jira to get started.
References:
[1]
[https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA]
[2]
[https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to-pkcs12]
[3][https://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html]
[4]
[https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore]
[5]
[https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#KeystoreImplementation]
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
