[Openstack-security] Hmac keys in Swift tempurl middleware

Clark, Robert Graham robert.clark at hp.com
Wed Aug 28 16:48:47 UTC 2013 

Certainly sounds like a problem.

 

It's been a while since I've looked into Swift at any depth, can you
explain who (in the context of users/tenants/everyone) has access to
Swift account meta data attributes?

 

In general you're better off rolling HMAC keys regularly rather than
trying to encrypt them, as that simply defers the problem to how you
then protect the key for the encryption and how you share it etc.

 

From: Alexandra Shulman-Peleg [mailto:SHULMANA at il.ibm.com] 
Sent: 28 August 2013 11:30
To: openstack-security at lists.openstack.org
Subject: [Openstack-security] Hmac keys in Swift tempurl middleware

 

Hi, 

In tempurl middleware of Swift there is an hmac signature calculated
with keys stored in account meta data attributes temp-url-key',
'temp-url-key-2' (see the function get_tempurl_keys_from_metadata in
swift/common/middleware/tempurl.py). 

The generated signature allows access to the resources with URLs like
<https://swift-cluster.example.com/v1/AUTH_account/container/object?temp
_url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&temp_url_expires=13234
79485>
https://swift-cluster.example.com/v1/AUTH_account/container/object?temp_
url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&temp_url_expires=132347
9485.   
  
It seems that keeping the keys un-encrypted as part of the account info
is a security vulnerability which allows anyone who can read the account
meta data to generate and fake temp urls. Shouldn't we protect the keys
used to calculate the hmac, either through encryption or by limiting
their visibility? 

Best Regards, 
Alex. 

----------------------------------------------------------
Alexandra Shulman-Peleg, PhD
Storage Research, Cloud Platforms 
IBM Haifa Research Lab
Tel: +972-3-7689530 | Fax: +972-3-7689545

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130828/ef515443/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130828/ef515443/attachment.bin>

More information about the Openstack-security mailing list