[Openstack-security] Deriving Instance UUID

Cody Bunch cody.bunch at rackspace.com
Mon Dec 9 21:23:10 UTC 2013 

Thanks! I'd replied, but seems I left the list off. The Nova sources (nova/openstack/common/uuidutils.py) use Pythons uuid.uuid4() to generate the uuids. The Python source for UUID4 seems to pull from a number of methods, going to (u)random or pythons random module, so heavily dependent on system(s) it's being run from:
http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py

I did throw up a quick test to see if I can find a match... so far I've generated 20 million uuid's and not had a collision (didn't expect one, but it's good to see):
https://gist.github.com/bunchc/7880710

It also seems that other services may use their own UUID generation or so, I've not looked into that however.

-C
________________________________
From: Brian Schott [brian.schott at nimbisservices.com]
Sent: Monday, December 09, 2013 3:16 PM
To: Clark, Robert Graham
Cc: openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] Deriving Instance UUID

Rob,

That is a hard question.  The short answer is that it depends on the type of UUID.  Type 1 () is mac address of the server + timestamp, so probability of guessing another UUID in the system is very high.  Type 4 (random) has 122 bits, so probability of collision is extremely small and is also dependent on having a good random number generator.  A poor implementation might be predictable.  Type 5 (namespace) has fewer bits depending on the size of the namespace.

http://en.wikipedia.org/wiki/Birthday_problem#Probability_table

I think in general web url usage, a bare UUID as authentication mechanism isn't considered good practice, but it really depends on how many elements you have in the system, how it is protected from brute-force attacks, etc.

Brian

-------------------------------------------------
Brian Schott, CTO
Nimbis Services, Inc.
brian.schott at nimbisservices.com<mailto:brian.schott at nimbisservices.com>
ph: 443-274-6064  fx: 443-274-6060



On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <robert.clark at hp.com<mailto:robert.clark at hp.com>> wrote:

Guys,

Is there any way you know of to infer or guess at the UUID of a compute instance belonging to another tenant?

-Rob
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/baf56ce8/attachment.html>

More information about the Openstack-security mailing list