Difference between revisions of "Security/Icehouse/Keystone"
m (→Encryption Algorithms) |
(→Hashing Algorithms) |
||
Line 40: | Line 40: | ||
* The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low. | * The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low. | ||
|| | || | ||
− | * keystoneclient | + | * keystoneclient.utils.py |
− | * keystoneclient | + | * keystoneclient.common.cms.py |
|- | |- | ||
| sha1 || S3 credentials || No || hashlib || | | sha1 || S3 credentials || No || hashlib || | ||
Line 47: | Line 47: | ||
* Required for S3 compatibility, so it can't be configurable. | * Required for S3 compatibility, so it can't be configurable. | ||
|| | || | ||
− | * keystone | + | * keystone.contrib.s3.core.py |
|- | |- | ||
− | | sha1 || LDAP password hashing || No || PassLib || | + | | sha1 || LDAP password hashing || No || (sha1 from hashlib; salting from PassLib) || |
* Salted using PassLib default (currently 4 bytes). | * Salted using PassLib default (currently 4 bytes). | ||
|| | || | ||
− | * keystone | + | * keystone.common.utils.py |
|- | |- | ||
| sha1 || OAuth1 || No || oauthlib || | | sha1 || OAuth1 || No || oauthlib || | ||
Line 58: | Line 58: | ||
* Keystone only uses the HMAC-SHA1 signature for OAuth1 tokens (as described in [http://tools.ietf.org/html/rfc5849 RFC 5849]). | * Keystone only uses the HMAC-SHA1 signature for OAuth1 tokens (as described in [http://tools.ietf.org/html/rfc5849 RFC 5849]). | ||
* OAuth support can be disabled. | * OAuth support can be disabled. | ||
+ | * Likely uses hashlib for the actual algorithm. | ||
|| | || | ||
− | * keystone | + | * keystone.contrib.oauth1.core.py |
− | * keystone | + | * keystone.contrib.oauth1.verifier.py |
|- | |- | ||
| sha256 || EC2 tokens || No || hashlib || | | sha256 || EC2 tokens || No || hashlib || | ||
* Required for EC2 compatibility, so it can't be configurable. | * Required for EC2 compatibility, so it can't be configurable. | ||
|| | || | ||
− | * keystone | + | * keystone.credential.controllers.py |
− | * keystone | + | * keystone.common.utils.py |
− | * keystoneclient | + | * keystoneclient.contrib.ec2.utils.py |
|- | |- | ||
| sha384 || Memcache signing || No || hashlib || | | sha384 || Memcache signing || No || hashlib || | ||
* Used for signing and verification when memcache encryption is enabled. | * Used for signing and verification when memcache encryption is enabled. | ||
|| | || | ||
− | * keystoneclient | + | * keystoneclient.middleware.memcache_crypt.py |
|- | |- | ||
| sha512 || Password hashing || No || PassLib || | | sha512 || Password hashing || No || PassLib || | ||
* The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000). | * The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000). | ||
|| | || | ||
− | * keystone | + | * keystone.common.utils.py |
|} | |} | ||
Revision as of 04:54, 16 April 2014
This page documents security related details for the Keystone project in the OpenStack Icehouse release.
Contents
Implemented Crypto
Keystone doesn't have an home-brewed encryption implementations, everything is used from Python Standard libraries or third party libraries.
Used Crypto
Libraries
- oauthlib (uses hashlib)
- OpenSSL
- PassLib
- PyCrypto
- Python hashlib
- python-ldap (ultimately uses GnuTLS, NSS, or OpenSSL depending on the platform)
- Requests (for keystoneclient HTTPS usage - need to investigate underlying crypto usage)
Encryption Algorithms
Algorithm | Purpose | Configurable | Implementation | Details | Source |
---|---|---|---|---|---|
AES | Memcache backend encryption | No | PyCrypto |
|
|
RSA | PKI token signing | Yes | OpenSSL |
|
|
Hashing Algorithms
Algorithm | Purpose | Configurable | Implementation | Details | Source |
---|---|---|---|---|---|
md5 | Token hashing | No | hashlib |
|
|
sha1 | S3 credentials | No | hashlib |
|
|
sha1 | LDAP password hashing | No | (sha1 from hashlib; salting from PassLib) |
|
|
sha1 | OAuth1 | No | oauthlib |
|
|
sha256 | EC2 tokens | No | hashlib |
|
|
sha384 | Memcache signing | No | hashlib |
|
|
sha512 | Password hashing | No | PassLib |
|
|
Sensitive Data
Keys/Certificates
- PKI signing key - Protected via filesystem ownership/permissions.
- SSL/TLS key - Protected via filesystem ownership/permissions.
Passwords
- SSL/TLS must be enabled in Keystone to prevent clients from sending passwords over the network in clear-text.
- Passwords are truncated to a maximum length prior to hashing
- Configurable via CONF.identity.max_password_length (default=4096)
- SQL Identity
- Password hashes are stored in SQL database.
- SSL/TLS can be used to protect the connection to the database.
- LDAP Identity
- SSL/TLS must be used for connections to LDAP to prevent Keystone from sending passwords over the network in clear-text.
Tokens
- Signed tokens are stored in their entirety in one of the following backends:
- KVS
- Memcached
- Ephemeral storage.
- Able to use AES encryption and sha384 signing.
- SQL (default)
- Persistent storage.
- SSL/TLS can be used to protect the connection to the database.
- Expired tokens are not automatically removed from the backend. The "keystone-manage token_flush" command should be used to periodically remove expired tokens (via cron).
Potential Improvements
- Eliminate LDAP user password hashing. This code should be unnecessary, as passwords supplied by clients should only be used to perform LDAP bind operations and never stored locally in any form.
- Allow all hashing schemes to be configurable where not restricted by compatibility requirements (such as S3 and EC2)
- The use of md5 for token hashing is the biggest concern, as it's use is discouraged (or disallowed in the case of FIPS). Changes are in progress to make this configurable in Juno. The default should be sha256 if possible.
- Allow support for LDAP SASL bind methods(such as DIGEST-MD5 and GSSAPI).
- Allow other forms of external authentication to avoid using passwords (Kerberos, SAML).