<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Certainly sounds like a problem.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It’s been a while since I’ve looked into Swift at any depth, can you explain who (in the context of users/tenants/everyone) has access to Swift account meta data attributes?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In general you’re better off rolling HMAC keys regularly rather than trying to encrypt them, as that simply defers the problem to how you then protect the key for the encryption and how you share it etc.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Alexandra Shulman-Peleg [mailto:SHULMANA@il.ibm.com] <br><b>Sent:</b> 28 August 2013 11:30<br><b>To:</b> openstack-security@lists.openstack.org<br><b>Subject:</b> [Openstack-security] Hmac keys in Swift tempurl middleware<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi,</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In tempurl middleware of Swift there is an hmac signature calculated with keys stored in account meta data attributes temp-url-key', 'temp-url-key-2' (see the function get_tempurl_keys_from_metadata in swift/common/middleware/tempurl.py). <br></span><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The generated signature allows access to the resources with URLs like </span><a href="https://swift-cluster.example.com/v1/AUTH_account/container/object?temp_url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&temp_url_expires=1323479485"><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>https://swift-cluster.example.com/v1/AUTH_account/container/object?temp_url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&temp_url_expires=1323479485</span></a><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>. </span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>It seems that keeping the keys un-encrypted as part of the account info is a security vulnerability which allows anyone who can read the account meta data to generate and fake temp urls. Shouldn't we protect the keys used to calculate the hmac, either through encryption or by limiting their visibility? </span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Best Regards,</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Alex. </span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>----------------------------------------------------------<br>Alexandra Shulman-Peleg, PhD<br>Storage Research, Cloud Platforms <br>IBM Haifa Research Lab<br>Tel: +972-3-7689530 | Fax: +972-3-7689545</span><o:p></o:p></p></div></div></body></html>