[openstack-dev] [security] FIPS Compliance (Was: [requirements][kolla][security] pycrypto vs cryptography)

Ian Cordasco sigmavirus24 at gmail.com
Fri Nov 18 16:47:59 UTC 2016

-----Original Message-----
From: Dean Troyer <dtroyer at gmail.com>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Date: November 18, 2016 at 10:15:44
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [security] FIPS Compliance (Was: [requirements][kolla][security] pycrypto vs cryptography)

> > -----Original Message-----
> > From: Luke Hinds  
> [...]
> >> for non security related functions, but when it comes to government
> >> compliance and running OpenStack on public clouds (and even private for the
> >> Telcos / NFV), not meeting FIPS will in some cases block production getting
> >> a green light, or at least make it a big challenge to push through.
> Are there any know cases of this happening? If so, can those be
> publicly documented to quantify how much this issue is hurting
> deployments?

I too would be very interested in learning about these.

> On Fri, Nov 18, 2016 at 9:57 AM, Ian Cordasco wrote:
> > Also, instead of creating bugs, I would suggest instead that we try to make this into  
> a community goal. We would work with the TC and for P or Q, make it a goal to start migrating  
> off of MD5 and have a goal for a cycle or two later to completely remove reliance on MD5.  
> >
> > Doing this piecemeal via bugs will not be efficient and we'll need community buy-in.  
> We would also need to get a reasonable scoping of the issue (which
> projects, how many instances, etc) to help decide if this is an
> achievable goal (in the sense of the 'community goals').
> As you noted, this will not be easy for Swift or Glance (others?), but
> if the impact to deployers can be quantified it makes it easier to
> spend energy here.

Well it is easy for Glance (I even did a PoC sometime back). The problem with Glance, presently, is primarily the v1 API (the fact that it's deprecated and uses devices like Content-MD5 for metadata). After that we could absolutely return MD5 and SHA2 for a cycle or three. We would just need people integrating with Glance to them pick up the work.

If I remember correctly, Nova does some validation of the image based on hash value, and I would guess that the patch to use SHA2 when available would be somewhat easy. After that, it's the users writing integrations that we need to worry about. That's the biggest unknown piece of this puzzle to me. How many people integrate directly with Glance and how many of those rely on MD5 being the hash algorithm to determine the integrity of the image?

Ian Cordasco

More information about the OpenStack-dev mailing list