[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5

OpenStack Infra 1174499 at bugs.launchpad.net
Tue Sep 16 07:52:11 UTC 2014 

Reviewed:  https://review.openstack.org/116509
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=ed1e31eca6cd34677feb6674973c4f8989b2b4e4
Submitter: Jenkins
Branch:    master

commit ed1e31eca6cd34677feb6674973c4f8989b2b4e4
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Sat Aug 23 11:35:25 2014 -0500

    Configurable token hashing algorithm
    
    The user's authentication token was hashed using the MD5 algorithm.
    The MD5 algorithm shouldn't be used because of the potential for
    hash collisions. Some security standards mandate a SHA2 algorithm
    or better must be used.
    
    With this change the algorithm to use for hashing tokens can be
    configured by setting the OPENSTACK_TOKEN_HASH_ALGORITHM
    configuration option to a hash algorithm supported by Python's
    hashlib library[1]. For example, a deployer could set the option to
    'sha256' to meet a SHA2 security standard.
    
    The algorithm chosen must match the hash algorithm that the
    identity server is configured to use (Keystone and the auth_token
    middleware can be configured to use any hash algorithm supported by
    hashlib).
    
    This is for security hardening.
    
    [1] https://docs.python.org/2/library/hashlib.html
    
    DocImpact
    SecurityImpact
    
    Change-Id: I9e3eba7e0a12ae40a08d0ed851ea916ec6591bcc
    Closes-Bug: #1174499


** Changed in: django-openstack-auth
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499

Title:
  Keystone token hashing is MD5

Status in Django OpenStack Auth:
  Fix Committed
Status in OpenStack Dashboard (Horizon):
  In Progress
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack API documentation site:
  Confirmed
Status in Python client library for Keystone:
  Fix Released

Bug description:
  https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/common/cms.py

  def cms_hash_token(token_id):
      """
  return: for ans1_token, returns the hash of the passed in token
  otherwise, returns what it was passed in.
  """
      if token_id is None:
          return None
      if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()
      else:
          return token_id

  
  MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
  Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1174499/+subscriptions

More information about the Openstack-security mailing list