Hi,
Currently, Keystone Token provider (both PKI and UUID) relies on uuid.uuid4 to generate token which
is used as an authentication token during its lifetime.
def _get_token_id(self, token_data):
return uuid.uuid4().hex
My question is how secure is UUID4 token. According to RFC 4122
"Do not assume that UUIDs are hard to guess; they should not be used
as security capabilities (identifiers whose mere possession grants
access)"
The implementation of UUID4 relies on os.urandom() which provides pretty good randomness. However, there are still
concerns about its randomness. See the thread here http://stackoverflow.com/questions/817882/unique-session-id-in-python.
Should it be a security bug for keystone ? If it is, both PKI and UUID token generation process is vulnerable.
...shohel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140210/8aa648b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140210/8aa648b0/attachment.bin>