[Openstack-security] Deriving Instance UUID
Brian Schott
brian.schott at nimbisservices.com
Mon Dec 9 21:16:11 UTC 2013
Rob,
That is a hard question. The short answer is that it depends on the type of UUID. Type 1 () is mac address of the server + timestamp, so probability of guessing another UUID in the system is very high. Type 4 (random) has 122 bits, so probability of collision is extremely small and is also dependent on having a good random number generator. A poor implementation might be predictable. Type 5 (namespace) has fewer bits depending on the size of the namespace.
http://en.wikipedia.org/wiki/Birthday_problem#Probability_table
I think in general web url usage, a bare UUID as authentication mechanism isn't considered good practice, but it really depends on how many elements you have in the system, how it is protected from brute-force attacks, etc.
Brian
-------------------------------------------------
Brian Schott, CTO
Nimbis Services, Inc.
brian.schott at nimbisservices.com
ph: 443-274-6064 fx: 443-274-6060
On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <robert.clark at hp.com> wrote:
> Guys,
>
> Is there any way you know of to infer or guess at the UUID of a compute instance belonging to another tenant?
>
> -Rob
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/4bc3b22b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3662 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131209/4bc3b22b/attachment.bin>
More information about the Openstack-security
mailing list