[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5

Openstack Gerrit 1174499 at bugs.launchpad.net
Wed Apr 23 05:42:56 UTC 2014 

Reviewed:  https://review.openstack.org/80401
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bf4ff96472991675f76c95dde8c027417d0deafd
Submitter: Jenkins
Branch:    master

commit bf4ff96472991675f76c95dde8c027417d0deafd
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Wed Apr 9 19:13:09 2014 -0500

    Configurable token hash algorithm
    
    Tokens were always hashed with MD5. This change allows tokens to
    be hashed with SHA256 (or any other algorithm supported by the
    keystoneclient token hash function). This is for security
    hardening.
    
    There's a new configuration option 'hash_algorithm' in the [token]
    section. This is the algorithm to use for hashing PKI tokens, so is
    used
    
    a) when storing the token in the db
    b) as the hash in the revocation list
    
    hash_algorithm defaults to 'md5' for backwards compatibility.
    
    SecurityImpact
    DocImpact
    Closes-Bug: #1174499
    
    Change-Id: Iafe3c975d59818c8f362647f7ea5149a03deee47


** Changed in: keystone
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499

Title:
  Keystone token hashing is MD5

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Identity (Keystone):
  Fix Committed
Status in OpenStack API documentation site:
  Confirmed
Status in Python client library for Keystone:
  In Progress

Bug description:
  https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/common/cms.py

  def cms_hash_token(token_id):
      """
  return: for ans1_token, returns the hash of the passed in token
  otherwise, returns what it was passed in.
  """
      if token_id is None:
          return None
      if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()
      else:
          return token_id

  
  MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
  Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1174499/+subscriptions

More information about the Openstack-security mailing list