Difference between revisions of "Security/Icehouse/Keystone"

Revision as of 02:19, 6 April 2014

Algorithm	Purpose	Configurable	Implementation	Details	Source
AES	Memcache backend encryption	No	PyCrypto	Optionally used for encrypting the token backend.	keystoneclient/middleware/memcache_crypt.py
RSA	PKI token signing	Yes	OpenSSL	2048, sha1 defaults Configurable via openssl.conf. Keys/Certs can be created outside of Keystone and dropped into place.	keystone/common/openssl.py keystoneclient/common/cms.py

Hashing Algorithms

Algorithm	Purpose	Configurable	Implementation	Details	Source
md5	Token hashing	No	hashlib	Hash is used as an internal identifier in the token backend. The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low.	keystoneclient/utils.py keystoneclient/common/cms.py
sha1	S3 credentials	No	hashlib	Used for signature validation of S3 credentials. Required for S3 compatibility, so it can't be configurable.	keystone/contrib/s3/core.py
sha1	LDAP password hashing	No	PassLib	Salted using PassLib default (currently 4 bytes).	keystone/common/utils.py
sha1	OAuth1	No	oauthlib	Used for signature validation of OAuth1 tokens. OAuth usage is optional.	keystone/contrib/oauth1/core.py keystone/contrib/oauth1/verifier.py
sha256	EC2 tokens	No	hashlib	Required for EC2 compatibility, so it can't be configurable.	keystone/credential/controllers.py keystone/common/utils.py keystoneclient/contrib/ec2/utils.py
sha384	Memcache signing	No	hashlib	Used for signing and verification when memcache encryption is enabled.	keystoneclient/middleware/memcache_crypt.py
sha512	Password hashing	No	PassLib	The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000).	keystone/common/utils.py

Sensitive Data

Passwords
Tokens
Keys/Certificates

@@ Line 25: / Line 25: @@
 ! Algorithm !! Purpose !! Configurable !! Implementation !! Details  !! Source
 |-
-| md5 || Token hashing  || No || Python hashlib module ||
+| md5 || Token hashing  || No || hashlib ||
 * Hash is used as an internal identifier in the token backend.
 * The data being hashed is the entire cryptographically signed token (which uses the configured signing key).  The chance for collisions should be low.
@@ Line 31: / Line 31: @@
 * keystoneclient/utils.py
 * keystoneclient/common/cms.py
+|-
+| sha1 || S3 credentials || No || hashlib ||
+* Used for signature validation of S3 credentials.
+* Required for S3 compatibility, so it can't be configurable.
+||
+* keystone/contrib/s3/core.py
+|-
+| sha1 || LDAP password hashing || No || PassLib ||
+* Salted using PassLib default (currently 4 bytes).
+||
+* keystone/common/utils.py
+|-
+| sha1 || OAuth1 || No || oauthlib ||
+* Used for signature validation of OAuth1 tokens.
+* OAuth usage is optional.
+||
+* keystone/contrib/oauth1/core.py
+* keystone/contrib/oauth1/verifier.py
+|-
+| sha256 || EC2 tokens || No || hashlib ||
+* Required for EC2 compatibility, so it can't be configurable.
+||
+* keystone/credential/controllers.py
+* keystone/common/utils.py
+* keystoneclient/contrib/ec2/utils.py
+|-
+| sha384 || Memcache signing || No || hashlib ||
+* Used for signing and verification when memcache encryption is enabled.
+||
+* keystoneclient/middleware/memcache_crypt.py
+|-
+| sha512 || Password hashing || No || PassLib ||
+* The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000).
+||
+* keystone/common/utils.py
 |}
 === Sensitive Data ===
 * Passwords
 * Tokens
 * Keys/Certificates

Difference between revisions of "Security/Icehouse/Keystone"

Revision as of 02:19, 6 April 2014

Contents

Implemented Crypto

Used Crypto

Encryption Algorithms

Hashing Algorithms

Sensitive Data