Jump to: navigation, search

Security/Juno/Barbican

< Security‎ | Juno

This page documents security related details for the Barbican project in the OpenStack Juno release.

Implemented Crypto

Used Crypto

Libraries

  • PyCrypto
  • PyKCS11 (what does this use for underlying crypto?)

Encryption Algorithms

Algorithm Purpose Configurable Implementation Details Source
AES Example crypto plug-in No PyCrypto
  • Uses a 128 bit hardcoded default key. The key can be over-ridden by config.
  • TODO - fill in details on what this is used for (if anything other than an example)
  • barbican/crypto/plugin.py:SimpleCryptoPlugin
AES PKCS11 plug-in No PyKCS11
  • TODO - fill in details (key size, usage, etc.)
  • barbican/crypto/p11_crypto.py:P11CryptoPlugin
AES utility class Yes PyCrypto
  • Used as the default encryption/decryption algorithm for symmetric crypto utility class.
  • Caller can specify a different algorithm.
  • Caller specifies the key size.
  • This class isn't currently used anywhere within Barbican.
  • barbican/openstack/common/crypto/utils.py:SymmetricCrypto
DES Example crypto plug-in  ?  ?
  • TODO - Mentioned in SYMMETRIC_ALGORITHMS, but I don't see that this is actually used/implemented anywhere. What is this for? Do we even need to mention DES in the code here?
  • barbican/crypto/plugin.py:PluginSupportTypes

Hashing Algorithms

Algorithm Purpose Configurable Implementation Details Source
sha256 HKDF Yes PyCrypto
  • Used as the default algorithm for HMAC-based Key Derivation Function (HKDF) utility class.
  • Caller can specify a different hashing algorithm.
  • This class isn't currently used anywhere within Barbican.
  • barbican/openstack/common/crypto/utils.py:HKDF
sha256 symmetric crypto signing Yes PyCrypto
  • Used as the default signing (HMAC) algorithm for symmetric crypto utility class.
  • Caller can specify a different hashing algorithm.
  • This class isn't currently used anywhere within Barbican.
  • barbican/openstack/common/crypto/utils.py:SymmetricCrypto

Sensitive Data

Keys/Certificates

Passwords

Potential Improvements