[openstack-dev] [Glance][Security] Secure Hash Algorithm Spec
jaypipes at gmail.com
Fri Sep 29 16:31:21 UTC 2017
On 09/29/2017 06:19 AM, Luke Hinds wrote:
> On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott
> <scott.mcclymont at verizonwireless.com
> <mailto:scott.mcclymont at verizonwireless.com>> wrote:
> Hey All,
> I've got a spec up for a change I want to implement in Glance for
> Queens to enhance the current checksum (md5) functionality with a
> stronger hash algorithm. I'm going to do this in such a way that it
> is easily altered in the future for new algorithms as they are
> released. I'd appreciate it if someone on the security team could
> look it over and comment. Thanks.
> Review: https://review.openstack.org/#/c/507568/
> +1 , thanks for undertaking this work. Strong support from the security
> projects side.
> Would be good to see all projects move on from MD5 use now, its been
> known to be insecure for sometime and clashes with FIPS-142 compliance.
In the case of Glance's use of MD5 for checksums, it is used to identify
whether a particular array of bytes that represents an image has
changed. The client uploads a bytestream to Glance, which does a rolling
checksum of that byte data for each chunk received and writes the
checksum to the database upon completion of the upload.
That checksum number never changes since Glance images are immutable
Can someone please inform me how changing the checksum algorithm for
this operation to SHA-1 or something else would improve the security of
As someone who recently had to go through thousands of (mostly bogus)
entries in a spreadsheet generated from the Bandit "security scanning
tool", I'd like to ask that we approach these kinds of things with some
common sense and not just as a checking-the-box-off activity.
md5 is used in a number of places in many OpenStack services, and often
those uses have nothing to do with cryptography. Rather, in those cases
md5 is used as a simple mechanism to generate a hash from a name. 
All I ask is that we don't have an army of people going out and
replacing blindly all uses of the MD5 algorithm everywhere, since (as I
learned recently) that will just lead to a lot of busywork for little gain.
More information about the OpenStack-dev