[openstack-dev] [nova][keystone] Message Queue Security
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Apr 25 18:50:53 UTC 2013
I am not a cryptologist, but I would have thought that a 256 bit key
could be used with almost any symmetric crypto algorithm. The key shared
between the key server and the service does not need to change very
often (aka kerberos say).
David
On 25/04/2013 17:23, Simo Sorce wrote:
> On Thu, 2013-04-25 at 17:04 +0100, David Chadwick wrote:
>> you dont need to negotiate algorithms on the fly. If the crypto arrives
>> with a clear indication of what algorithms it has used (as in S/MIME,
>> X.509 certs etc.) then the receiving code can automatically determine
>> which algorithms to use to decrypt the message. Of course, negotiation
>> of algorithms for point to point connections e.g. as in TLS/SSL, allows
>> an optimal set to be chosen from the outset
>
> Well, you are assuming that the keys given out by the Key server do not
> need to change if you change the algorithm, and that is not necessarily
> true. So you slowly but steadily end up with needing a negotiation
> scheme with the key server at least and ... it is a slippery slope.
>
> Simo.
>
More information about the OpenStack-dev
mailing list