[Openstack-security] [Bug 1757300] Re: RandomString may have less entropy than expected
Jeremy Stanley
fungi at yuggoth.org
Thu Mar 22 15:39:34 UTC 2018
Thanks. In that case I'll just flag it as a security hardening
opportunity. We can revisit that and issue an advisory if new issues
come to light suggesting it's more serious than we think.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1757300
Title:
RandomString may have less entropy than expected
Status in OpenStack Heat:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When generating a random string, once we have selected from the
various required pools, we continue by selecting a pool at random and
then selecting a character from that pool at random. This does not
take into account the differing sizes of the available pools, nor the
fact that the same character could appear in multiple pools. This
results in a non-uniform probability distribution of characters.
For example, in the following resource:
type: OS::Heat::RandomString
properties:
length: 66
character_classes:
- class: lettersdigits
character_sequences:
- sequence: "*$"
one might reasonably expect to find an average of 3 '*' or '$'
characters in the output, but in fact there would be an average of 33.
Since users mostly make use of this feature to generate default
passwords for services they are deploying, this would result in the
generated passwords having slightly less entropy than expected.
Pathological cases where the entropy is massively reduced (like the
one above - where it is only 229.5 bits vs. the expected 391 bits) are
possible, although it's probably unlikely that users would encounter
them by accident.
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1757300/+subscriptions
More information about the Openstack-security
mailing list