Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15235

Authentication Tokens should use HMAC instead of MAC

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.10.0, 3.2.0
    • Fix Version/s: 3.1.0, 2.10.0
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      We currently use MessageDigest to compute a "SHA" MAC for signing Authentication Tokens. Firstly, what "SHA" maps to is dependent on the JVM and Cryptography Provider. While they should do something reasonable, it's probably a safer idea to pick a specific algorithm. It looks like the Oracle JVM picks SHA-1; though something like SHA-256 would be better.

      In any case, it would also be better to use an HMAC algorithm instead.

      Changing from SHA-1 to SHA-256 or MAC to HMAC won't generate equivalent signatures, so this would normally be an incompatible change because the server wouldn't accept previous tokens it issued with the older algorithm. However, Authentication Tokens are used as a cheaper shortcut for Kerberos, so it's expected for users to also have Kerberos credentials; in this case, the Authentication Token will be rejected, but it will silently retry using Kerberos, and get an updated token. So this should all be transparent to the user.

      And finally, the code where we verify a signature uses a non-constant-time comparison, which could be subject to timing attacks. I believe it would be quite difficult in this case to do so, but we're probably better off using a constant-time comparison.

        Attachments

        Issue Links

          Activity

          $i18n.getText('security.level.explanation', $currentSelection) Viewable by All Users
          Cancel

            People

            • Assignee:
              rkanter Robert Kanter Assign to me
              Reporter:
              rkanter Robert Kanter

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment