[Openstack-security] Authentication token generation using UUID

Abu Shohel Ahmed ahmed.shohel at ericsson.com
Tue Feb 11 12:34:13 UTC 2014 


On 11 Feb 2014, at 03:51, Adam Young <ayoung at redhat.com> wrote:

> On 02/10/2014 09:19 AM, Abu Shohel Ahmed wrote:
>> Hi,
>> 
>> Currently, Keystone Token provider (both PKI and UUID) relies on uuid.uuid4 to generate token which
>> is used as an authentication token during its lifetime. 
> 
> Not true for PKI tokens, only UUID.  PKI tokens are crypto signd (CMS), and then their ID is the MD5 hash of the signed document.
> 
> And a new format it in the works…

+ true

_get_token_id function overriding happens in pki.py

>> 
>> def _get_token_id(self, token_data):
>>      return uuid.uuid4().hex
>> 
>> My question is how secure is UUID4 token. According to RFC 4122
>> 
>> "Do not assume that UUIDs are hard to guess; they should not be used
>>    as security capabilities (identifiers whose mere possession grants
>>    access)"
>> 
>> The implementation of UUID4 relies on os.urandom() which provides pretty good randomness. However, there are still 
>> concerns about its randomness. See the thread herehttp://stackoverflow.com/questions/817882/unique-session-id-in-python. 
>> 
>> Should it be a security bug for keystone ? If it is, both PKI and UUID token generation process is vulnerable.
>> 
>> ...shohel
>> 
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140211/76417cb8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140211/76417cb8/attachment.bin>

More information about the Openstack-security mailing list