[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5

OpenStack Infra 1174499 at bugs.launchpad.net
Mon Oct 6 16:48:18 UTC 2014 

Reviewed:  https://review.openstack.org/116510
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=372d033d89c0f5d305959a6ad5fd3e1159cc91ed
Submitter: Jenkins
Branch:    master

commit 372d033d89c0f5d305959a6ad5fd3e1159cc91ed
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Sun Aug 24 10:04:10 2014 -0500

    Document token hash algorithm option
    
    With https://review.openstack.org/#/c/116509/ ,
    django-openstack-auth will support a new option for the token hash
    algorithm. This adds the documentation to Horizon's local settings
    example file.
    
    This is for security hardening. The token hash algorithm defaults
    to MD5, which is considered too weak due to the potential for hash
    collisions. Some security standards require a SHA2 hash algorithm to
    be used.
    
    DocImpact
    SecurityImpact
    
    Change-Id: I6774b9b7215d191259586e4721e357487bb777cd
    Closes-Bug: #1174499


** Changed in: horizon
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499

Title:
  Keystone token hashing is MD5

Status in Django OpenStack Auth:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Committed
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack API documentation site:
  Confirmed
Status in Python client library for Keystone:
  Fix Released

Bug description:
  https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/common/cms.py

  def cms_hash_token(token_id):
      """
  return: for ans1_token, returns the hash of the passed in token
  otherwise, returns what it was passed in.
  """
      if token_id is None:
          return None
      if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()
      else:
          return token_id

  
  MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
  Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1174499/+subscriptions

More information about the Openstack-security mailing list