Difference between revisions of "Security/Icehouse/Keystone"
(Created page with "=== Implemented Crypto === None. === Used Crypto === ==== Encryption Algorithms ==== {| class="wikitable sortable" |- ! Algorithm !! Purpose !! Configurable !! Implementation...") |
(→Hashing Algorithms) |
||
Line 25: | Line 25: | ||
! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source | ! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source | ||
|- | |- | ||
− | | md5 || Token hashing || No || | + | | md5 || Token hashing || No || hashlib || |
* Hash is used as an internal identifier in the token backend. | * Hash is used as an internal identifier in the token backend. | ||
* The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low. | * The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low. | ||
Line 31: | Line 31: | ||
* keystoneclient/utils.py | * keystoneclient/utils.py | ||
* keystoneclient/common/cms.py | * keystoneclient/common/cms.py | ||
+ | |- | ||
+ | | sha1 || S3 credentials || No || hashlib || | ||
+ | * Used for signature validation of S3 credentials. | ||
+ | * Required for S3 compatibility, so it can't be configurable. | ||
+ | || | ||
+ | * keystone/contrib/s3/core.py | ||
+ | |- | ||
+ | | sha1 || LDAP password hashing || No || PassLib || | ||
+ | * Salted using PassLib default (currently 4 bytes). | ||
+ | || | ||
+ | * keystone/common/utils.py | ||
+ | |- | ||
+ | | sha1 || OAuth1 || No || oauthlib || | ||
+ | * Used for signature validation of OAuth1 tokens. | ||
+ | * OAuth usage is optional. | ||
+ | || | ||
+ | * keystone/contrib/oauth1/core.py | ||
+ | * keystone/contrib/oauth1/verifier.py | ||
+ | |- | ||
+ | | sha256 || EC2 tokens || No || hashlib || | ||
+ | * Required for EC2 compatibility, so it can't be configurable. | ||
+ | || | ||
+ | * keystone/credential/controllers.py | ||
+ | * keystone/common/utils.py | ||
+ | * keystoneclient/contrib/ec2/utils.py | ||
+ | |- | ||
+ | | sha384 || Memcache signing || No || hashlib || | ||
+ | * Used for signing and verification when memcache encryption is enabled. | ||
+ | || | ||
+ | * keystoneclient/middleware/memcache_crypt.py | ||
+ | |- | ||
+ | | sha512 || Password hashing || No || PassLib || | ||
+ | * The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000). | ||
+ | || | ||
+ | * keystone/common/utils.py | ||
|} | |} | ||
+ | |||
=== Sensitive Data === | === Sensitive Data === | ||
* Passwords | * Passwords | ||
* Tokens | * Tokens | ||
* Keys/Certificates | * Keys/Certificates |
Revision as of 02:19, 6 April 2014
Contents
Implemented Crypto
None.
Used Crypto
Encryption Algorithms
Algorithm | Purpose | Configurable | Implementation | Details | Source |
---|---|---|---|---|---|
AES | Memcache backend encryption | No | PyCrypto |
|
|
RSA | PKI token signing | Yes | OpenSSL |
|
|
Hashing Algorithms
Algorithm | Purpose | Configurable | Implementation | Details | Source |
---|---|---|---|---|---|
md5 | Token hashing | No | hashlib |
|
|
sha1 | S3 credentials | No | hashlib |
|
|
sha1 | LDAP password hashing | No | PassLib |
|
|
sha1 | OAuth1 | No | oauthlib |
|
|
sha256 | EC2 tokens | No | hashlib |
|
|
sha384 | Memcache signing | No | hashlib |
|
|
sha512 | Password hashing | No | PassLib |
|
|
Sensitive Data
- Passwords
- Tokens
- Keys/Certificates