OpenStack Compute (nova)

NIST: increase RSA key length to 2048 bit

Bug #1369487 reported by Qin Zhao on 2014-09-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Qin Zhao	OpenStack Compute (nova) 2014.2 "juno"
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

According to NIST 800-131A, RSA key lenght for digital signature must >= 2048 bit.

In crypto.py, we use 1024 bit as the default key length to generate cert file, and does not specify any larger number to override the default value when utilizing it.

def generate_x509_cert(user_id, project_id, bits=1024):

Need to increase the default key length to 2048 bit.

Tags:

Qin Zhao (zhaoqin) on 2014-09-15

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/121497

Changed in nova:
assignee:	nobody → Qin Zhao (zhaoqin)
status:	New → In Progress

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-09-15:

I think this is the classic definition of a security hardening improvement, not a security vulnerability, and so not a fix for which the vulnerability management team would coordinate a security advisory unless:

a) there are now reliable attacks you can demonstrate which are enabled by the old default key length

b) the documentation claims nova generates longer keys by default than it actually does

c) configuration to force longer key lengths is documented but ignored by the software

It seems like none of the above are the case, so I propose the VMT treat this as a hardening fix unless you can provide evidence to the contrary.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-09-15:

Agreed, will open on Thursday if nobody complains.

Changed in ossa:
status:	New → Incomplete

Thierry Carrez (ttx) on 2014-09-19

information type:	Public Security → Public
tags:	added: security
Changed in ossa:
status:	Incomplete → Won't Fix

Joe Gordon (jogo) on 2014-09-22

Changed in nova:
milestone:	none → juno-rc1
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-22: Fix merged to nova (master)

Reviewed: https://review.openstack.org/121497
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3957d3bed8f2ee2bbb9e54dd67d4f3ab25fc3a13
Submitter: Jenkins
Branch: master

commit 3957d3bed8f2ee2bbb9e54dd67d4f3ab25fc3a13
Author: Qin Zhao <email address hidden>
Date: Mon Sep 15 18:08:51 2014 +0800

NIST: increase RSA key length to 2048 bit

    According to NIST 800-131A, RSA key lenght for digital signature
    must >= 2048 bit. Now we use 1024 bit key to generate x509 cert
    file. Need to increase the key length to 2048 bit.

Change-Id: I59f614b5d8a79f9e0a96503867cfca176be5c757
Closes-Bug: 1369487

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-01

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.