OpenStack Identity (keystone)

Bug #942644
Activity log

Activity log for bug #942644

Date	Who	What changed	Old value	New value	Message
2012-02-28 14:41:55	Paul McMillan	bug			added bug
2012-02-28 14:42:25	Paul McMillan	bug task added		nova
2012-02-28 14:42:44	Paul McMillan	bug task added		swift
2012-02-28 15:23:42	Russell Bryant	keystone: status	New	Confirmed
2012-02-28 15:23:58	Russell Bryant	nova: status	New	Confirmed
2012-02-28 15:24:01	Russell Bryant	swift: status	New	Confirmed
2012-02-28 15:24:14	Russell Bryant	bug			added subscriber Vish Ishaya
2012-02-28 15:24:26	Russell Bryant	bug			added subscriber Ziad Sawalha
2012-02-28 15:24:37	Russell Bryant	bug			added subscriber John Dickinson
2012-02-28 16:44:04	Russell Bryant	attachment added		nova-timing-attacks.rev1.txt https://bugs.launchpad.net/keystone/+bug/942644/+attachment/2791259/+files/nova-timing-attacks.rev1.txt
2012-02-28 16:44:29	Russell Bryant	attachment added		swift-timing-attacks.rev1.txt https://bugs.launchpad.net/keystone/+bug/942644/+attachment/2791260/+files/swift-timing-attacks.rev1.txt
2012-02-28 16:44:59	Russell Bryant	attachment added		keystone-timing-attacks.rev1.txt https://bugs.launchpad.net/keystone/+bug/942644/+attachment/2791261/+files/keystone-timing-attacks.rev1.txt
2012-02-28 18:58:28	Paul McMillan	description	I filed this bug against keystone because it is the most practically exploitable. Everywhere else that uses a tokenized API or signatures should be audited. For those who haven't encountered them before, the timing attacks I'm reporting here allow an attacker to deduce the correct value for authentication tokens in much less than brute force time when those tokens are validated with a simple equality comparison. A quick and easy introduction: http://codahale.com/a-lesson-in-timing-attacks/ Some practical recent research: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ (the actual presentation) http://www.youtube.com/results?search_query=nate+lawson+timing Keystone uses passlib do hash and compare user passwords. This is good, because it includes an opaque password validity check which is hardened against timing attacks. Unfortunately, most of the other token validation routines in openstack use equality comparisons for this, rather than a constant time compare function like this one: https://code.djangoproject.com/browser/django/trunk/django/utils/crypto.py#L78 Here are a few examples of brokenness. There are probably quite a few more, I haven't done a full audit. https://github.com/openstack/keystone/blob/master/keystone/contrib/s3/core.py#L50 https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/core.py#L108 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L331, https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L343 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L346 https://github.com/openstack/swift/blob/master/swift/common/middleware/formpost.py#L445 This one is more subtle - given a valid token, it allows an attacker to deduce the correct username https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L245 While these vulnerabilities may be difficult to exploit over the general internet, an openstack installation can expect an attack from a compromised node, which may be as far away as gigabit switched ethernet, or as close as a vm container on the same physical host. In the latter case, timing attacks even against string comparisons are eminently practical. Timing attacks are one of the topics I'll be discussing at Pycon on March 9. It would be nice to have these fixed before then.	I filed this bug against keystone because it is the most practically exploitable. Everywhere else that uses a tokenized API or signatures should be audited. For those who haven't encountered them before, the timing attacks I'm reporting here allow an attacker to deduce the correct value for authentication tokens in much less than brute force time when those tokens are validated with a simple equality comparison. A quick and easy introduction: http://codahale.com/a-lesson-in-timing-attacks/ Some practical recent research: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ (the actual presentation) http://www.youtube.com/results?search_query=nate+lawson+timing Keystone uses passlib to hash and compare user passwords. This is good, because it includes an opaque password validity check which is hardened against timing attacks. Unfortunately, most of the other token validation routines in openstack use equality comparisons for this, rather than a constant time compare function like this one: https://code.djangoproject.com/browser/django/trunk/django/utils/crypto.py#L78 Here are a few examples of brokenness. There are probably quite a few more, I haven't done a full audit. https://github.com/openstack/keystone/blob/master/keystone/contrib/s3/core.py#L50 https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/core.py#L108 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L331, https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L343 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L346 https://github.com/openstack/swift/blob/master/swift/common/middleware/formpost.py#L445 This one is more subtle - given a valid token, it allows an attacker to deduce the correct username https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L245 While these vulnerabilities may be difficult to exploit over the general internet, an openstack installation can expect an attack from a compromised node, which may be as far away as gigabit switched ethernet, or as close as a vm container on the same physical host. In the latter case, timing attacks even against string comparisons are eminently practical. Timing attacks are one of the topics I'll be discussing at Pycon on March 9. It would be nice to have these fixed before then.
2012-02-28 19:49:38	Paul McMillan	description	I filed this bug against keystone because it is the most practically exploitable. Everywhere else that uses a tokenized API or signatures should be audited. For those who haven't encountered them before, the timing attacks I'm reporting here allow an attacker to deduce the correct value for authentication tokens in much less than brute force time when those tokens are validated with a simple equality comparison. A quick and easy introduction: http://codahale.com/a-lesson-in-timing-attacks/ Some practical recent research: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ (the actual presentation) http://www.youtube.com/results?search_query=nate+lawson+timing Keystone uses passlib to hash and compare user passwords. This is good, because it includes an opaque password validity check which is hardened against timing attacks. Unfortunately, most of the other token validation routines in openstack use equality comparisons for this, rather than a constant time compare function like this one: https://code.djangoproject.com/browser/django/trunk/django/utils/crypto.py#L78 Here are a few examples of brokenness. There are probably quite a few more, I haven't done a full audit. https://github.com/openstack/keystone/blob/master/keystone/contrib/s3/core.py#L50 https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/core.py#L108 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L331, https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L343 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L346 https://github.com/openstack/swift/blob/master/swift/common/middleware/formpost.py#L445 This one is more subtle - given a valid token, it allows an attacker to deduce the correct username https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L245 While these vulnerabilities may be difficult to exploit over the general internet, an openstack installation can expect an attack from a compromised node, which may be as far away as gigabit switched ethernet, or as close as a vm container on the same physical host. In the latter case, timing attacks even against string comparisons are eminently practical. Timing attacks are one of the topics I'll be discussing at Pycon on March 9. It would be nice to have these fixed before then.	I filed this bug against keystone because it is the most practically exploitable. Everywhere else that uses a tokenized API or signatures should be audited. For those who haven't encountered them before, the timing attacks I'm reporting here allow an attacker to deduce the correct value for authentication tokens in much less than brute force time when those tokens are validated with a simple equality comparison. A quick and easy introduction: http://codahale.com/a-lesson-in-timing-attacks/ Some practical recent research: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ (the actual presentation) http://www.youtube.com/results?search_query=nate+lawson+timing Keystone uses passlib to hash and compare user passwords. This is good, because it includes an opaque password validity check which is hardened against timing attacks. Unfortunately, most of the other token validation routines in openstack use equality comparisons for this, rather than a constant time compare function like this one: https://code.djangoproject.com/browser/django/trunk/django/utils/crypto.py#L78 Here are a few examples of brokenness. There are probably quite a few more, I haven't done a full audit. https://github.com/openstack/keystone/blob/master/keystone/contrib/s3/core.py#L50 https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/core.py#L108 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L331, https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L343 https://github.com/openstack/nova/blob/master/nova/auth/manager.py#L352 https://github.com/openstack/swift/blob/master/swift/common/middleware/formpost.py#L445 This one is more subtle - given a valid token, it allows an attacker to deduce the correct username https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L245 While these vulnerabilities may be difficult to exploit over the general internet, an openstack installation can expect an attack from a compromised node, which may be as far away as gigabit switched ethernet, or as close as a vm container on the same physical host. In the latter case, timing attacks even against string comparisons are eminently practical. Timing attacks are one of the topics I'll be discussing at Pycon on March 9. It would be nice to have these fixed before then.
2012-02-28 19:50:35	Russell Bryant	visibility	private	public
2012-02-28 19:57:03	OpenStack Infra	nova: status	Confirmed	In Progress
2012-02-28 19:57:03	OpenStack Infra	nova: assignee		Russell Bryant (russellb)
2012-02-28 19:57:20	OpenStack Infra	swift: status	Confirmed	In Progress
2012-02-28 19:57:20	OpenStack Infra	swift: assignee		Russell Bryant (russellb)
2012-02-28 20:27:29	OpenStack Infra	nova: status	In Progress	Fix Committed
2012-02-28 23:31:58	Joseph Heck	keystone: assignee		Russell Bryant (russellb)
2012-02-28 23:32:10	Joseph Heck	keystone: milestone		essex-rc1
2012-02-29 03:35:33	OpenStack Infra	swift: status	In Progress	Fix Committed
2012-02-29 10:37:30	Thierry Carrez	nova: status	Fix Committed	Fix Released
2012-02-29 10:37:30	Thierry Carrez	nova: milestone		essex-4
2012-02-29 15:18:33	OpenStack Infra	keystone: status	Confirmed	In Progress
2012-02-29 18:29:05	OpenStack Infra	keystone: status	In Progress	Fix Committed
2012-03-01 15:25:52	Thierry Carrez	keystone: importance	Undecided	Medium
2012-03-01 15:25:55	Thierry Carrez	nova: importance	Undecided	Medium
2012-03-01 15:26:01	Thierry Carrez	swift: importance	Undecided	Medium
2012-03-07 12:32:17	Thierry Carrez	swift: status	Fix Committed	Fix Released
2012-03-07 12:32:17	Thierry Carrez	swift: milestone		1.4.7
2012-03-23 20:53:29	Thierry Carrez	keystone: status	Fix Committed	Fix Released
2012-04-05 08:33:58	Thierry Carrez	keystone: milestone	essex-rc1	2012.1
2012-04-05 10:16:24	Thierry Carrez	nova: milestone	essex-4	2012.1