<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style><style type="text/css"></style>
</head>
<body style="word-wrap:break-word" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Thanks! I'd replied, but seems I left the list off. The Nova sources (nova/openstack/common/uuidutils.py) use Pythons uuid.uuid4() to generate the uuids. <span style="font-size: 10pt;">The
Python source for UUID4 seems to pull from a number of methods, going to (u)random or pythons random module, so heavily dependent on system(s) it's being run from:</span>
<div>
<div><a href="http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py" target="_blank">http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py</a></div>
<div><br>
</div>
<div>I did throw up a quick test to see if I can find a match... so far I've generated 20 million uuid's and not had a collision (didn't expect one, but it's good to see):</div>
<div><a href="https://gist.github.com/bunchc/7880710" target="_blank">https://gist.github.com/bunchc/7880710</a></div>
<div><br>
</div>
<div>It also seems that other services may use their own UUID generation or so, I've not looked into that however.</div>
<div><br>
</div>
<div>-C</div>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF596853" style="direction: ltr;"><font face="Tahoma" size="2" color="#000000"><b>From:</b> Brian Schott [brian.schott@nimbisservices.com]<br>
<b>Sent:</b> Monday, December 09, 2013 3:16 PM<br>
<b>To:</b> Clark, Robert Graham<br>
<b>Cc:</b> openstack-security@lists.openstack.org<br>
<b>Subject:</b> Re: [Openstack-security] Deriving Instance UUID<br>
</font><br>
</div>
<div></div>
<div>
<div>Rob,</div>
<div><br>
</div>
<div>That is a hard question. The short answer is that it depends on the type of UUID. Type 1 () is mac address of the server + timestamp, so probability of guessing another UUID in the system is very high. Type 4 (random) has 122 bits, so probability of
collision is extremely small and is also dependent on having a good random number generator. A poor implementation might be predictable. Type 5 (namespace) has fewer bits depending on the size of the namespace. </div>
<div><br>
</div>
<div>
<div><a href="http://en.wikipedia.org/wiki/Birthday_problem#Probability_table" target="_blank">http://en.wikipedia.org/wiki/Birthday_problem#Probability_table</a></div>
<div><br>
</div>
<div>I think in general web url usage, a bare UUID as authentication mechanism isn't considered good practice, but it really depends on how many elements you have in the system, how it is protected from brute-force attacks, etc.</div>
<div><br>
</div>
<div>Brian</div>
<div><br>
<div><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;">
<div>
<div style="font-size:12px">-------------------------------------------------</div>
<div style="font-size:12px">Brian Schott, CTO</div>
<div style="font-size:12px">Nimbis Services, Inc.</div>
<div style="font-size:12px"><a href="mailto:brian.schott@nimbisservices.com" target="_blank">brian.schott@nimbisservices.com</a></div>
<div style="font-size:12px">ph: 443-274-6064 fx: 443-274-6060</div>
</div>
<div><br>
</div>
</span><br class="Apple-interchange-newline">
</div>
<br>
<div>
<div>On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div lang="EN-GB" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<div class="WordSection1" style="">
<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
Guys,</div>
<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
</div>
<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
Is there any way you know of to infer or guess at the UUID of a compute instance belonging to another tenant?</div>
<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
</div>
<div style="margin:0cm 0cm 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
-Rob</div>
</div>
_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" style="color:rgb(149,79,114); text-decoration:underline" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" style="color:rgb(149,79,114); text-decoration:underline" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>