Keystone token hashing is MD5
Bug #1174499 reported by
Adam Young
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Low
|
Brant Knudson | ||
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Brant Knudson | ||
django-openstack-auth |
Fix Released
|
Wishlist
|
Brant Knudson | ||
openstack-api-site |
Invalid
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Fix Released
|
Wishlist
|
Morgan Fainberg |
Bug Description
https:/
def cms_hash_
"""
return: for ans1_token, returns the hash of the passed in token
otherwise, returns what it was passed in.
"""
if token_id is None:
return None
if is_ans1_
hasher = hashlib.md5()
return hasher.hexdigest()
else:
return token_id
MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.
Changed in keystone: | |
assignee: | nobody → Li Ma (nick-ma-b) |
Changed in keystone: | |
status: | Confirmed → In Progress |
Changed in keystone: | |
assignee: | Li Ma (nick-ma-b) → nobody |
Changed in keystone: | |
assignee: | nobody → Li Ma (nick-ma-b) |
Changed in python-keystoneclient: | |
assignee: | nobody → Li Ma (nick-ma-b) |
Changed in keystone: | |
assignee: | Li Ma (nick-ma-b) → nobody |
Changed in python-keystoneclient: | |
assignee: | Li Ma (nick-ma-b) → nobody |
Changed in python-keystoneclient: | |
milestone: | none → 0.8.0 |
Changed in openstack-api-site: | |
status: | New → Confirmed |
tags: | added: identity-api |
Changed in python-keystoneclient: | |
milestone: | 0.8.0 → none |
Changed in python-keystoneclient: | |
assignee: | Brant Knudson (blk-u) → Morgan Fainberg (mdrnstm) |
Changed in python-keystoneclient: | |
milestone: | none → 0.9.0 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
Changed in django-openstack-auth: | |
milestone: | none → 1.1.7 |
status: | Fix Committed → Fix Released |
importance: | Undecided → Wishlist |
Changed in horizon: | |
milestone: | none → kilo-1 |
Changed in horizon: | |
milestone: | kilo-1 → juno-rc2 |
tags: | removed: juno-rc-potential security |
Changed in keystone: | |
milestone: | juno-1 → 2014.2 |
Changed in horizon: | |
milestone: | juno-rc2 → 2014.2 |
Changed in openstack-api-site: | |
status: | Incomplete → Invalid |
To post a comment you must log in.
This is definitely a good strengthening action, but I don't think it qualifies as a vulnerability. MD5 is weaker than other hashing schemes, but practical collisions are still a bit hard to do, especially when you don't control the entirety of the cleartext.
If nobody complains, I'll open this bug and tag it "security" so that it gets wider attention, but it would not get an embargo or an OSSA.