[openstack-dev] Token Revocation using hash of token id

Eric Windisch eric at cloudscaling.com
Tue Nov 12 18:59:54 UTC 2013

During the token revocation discussion at the summit, I suggested it
would be possible to revoke tokens using a hash of the token id (which
is already an MD5 hash). That way, the revocation file would be able
to specify individual hashes for revocation without dangerously
presenting secrets.

I should amend that suggestion to say that should this be done, the
hash will need to be salted. Otherwise, rainbow tables could be used
to attack the original secrets. In fact, this would be exacerbated by
the fact there would be a limited domain to the hash function, knowing
that the input would always be the 128bit output of MD5.

This much might be obvious, but I felt it was worth clarifying and
etching into the blueprint or other design documentation.

Eric Windisch

More information about the OpenStack-dev mailing list