Got it, makes sense to make the hash function customizable if there are environments in which md5 usage is prevented. The approach you are proposing sounds good to me. On Sat, Jul 23, 2016 at 14:56 Luciano Afranllie <listas.luaf...@gmail.com> wrote:
> Nothing wrong about using MD5 for that from FIPS point of view, but we want > to deploy with FIPS 140-2 mode enabled using only RSA security providers. > With this settings it is not possible to use MD5. > > On Fri, Jul 22, 2016 at 8:49 PM, Shikhar Bhushan <shik...@confluent.io> > wrote: > > > Not sure I understand the motivation to use a FIPS-compliant hash > function > > for log compaction -- what are the security ramifications? > > > > On Fri, Jul 22, 2016 at 2:56 PM Luciano Afranllie < > > listas.luaf...@gmail.com> > > wrote: > > > > > A little bit of background first. > > > > > > We are trying to make a deployment of Kafka that is FIPS 140-2 ( > > > https://en.wikipedia.org/wiki/FIPS_140-2) complaint and one of the > > > requirements is not to use MD5. > > > > > > As far as we could see, Kafka is using MD5 only to hash message keys > in a > > > offset map (SkimpyOffsetMap) used by the log cleaner. So, we are > planning > > > to change the hash algorithm to something allowed by FIPS. > > > > > > With this in mind we are thinking that it would be great if we can add > a > > > config property LogCleanerHashAlgorithmProp = > > "log.cleaner.hash.algorithm" > > > with a default value equal to "MD5" and use it in the constructor > > > of CleanerConfig. In that case in future versions of Kafka we can just > > > change the value of this property. > > > > > > Please let me know if you are Ok with this change. > > > It is enough to create a pull request for this? Should I create a Jira > > > first? > > > > > > Regards > > > Luciano > > > > > > On Fri, Jul 22, 2016 at 5:58 PM, Luciano Afranllie < > > > listas.luaf...@gmail.com > > > > wrote: > > > > > > > Hi > > > > > > > > We are evaluating to change the hash algorithm used by the > > > SkimpyOffsetMap > > > > used by the LogCleaner from MD5 to SHA-1. > > > > > > > > Besides the impact in performance (more memory, more cpu usage) is > > there > > > > anything that may be impacted? > > > > > > > > Regards > > > > Luciano > > > > > > > > > >
