[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5
Dolph Mathews
1174499 at bugs.launchpad.net
Fri Aug 23 00:14:36 UTC 2013
+1 for SHA-256. I really don't want to migrate to SHA-1, and then
migrate to something stronger next release anyway.
> The "pain" is caused by the migration itself not the particular
algorithm used.
++
I believe the hashing algorithm is effectively a (undocumented?) part of
the API, so backwards-compatibility will have to be maintained. This is
NOT necessarily internal to OpenStack.
** Also affects: python-keystoneclient
Importance: Undecided
Status: New
** Changed in: python-keystoneclient
Status: New => Confirmed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499
Title:
Keystone token hashing is MD5
Status in OpenStack Identity (Keystone):
Confirmed
Status in Python client library for Keystone:
Confirmed
Bug description:
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/common/cms.py
def cms_hash_token(token_id):
"""
return: for ans1_token, returns the hash of the passed in token
otherwise, returns what it was passed in.
"""
if token_id is None:
return None
if is_ans1_token(token_id):
hasher = hashlib.md5()
hasher.update(token_id)
return hasher.hexdigest()
else:
return token_id
MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1174499/+subscriptions
More information about the Openstack-security
mailing list