[Openstack-security] [Bug 1251647] Re: Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason
Bryan D. Payne
bdpayne at acm.org
Thu Nov 21 17:08:02 UTC 2013
I completely agree with the OP that this is a bad security practice. I
would also be interested in a discussion about his concerns about the
implementation in Oslo.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251647
Title:
Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason
Status in Orchestration API (Heat):
Triaged
Status in OpenStack Security Advisories:
Invalid
Bug description:
In the following commit:
https://github.com/openstack/heat/commit/58cd52624b50476ed5ed1c5c0ba7cb1b4d7ba66d
... a decision was introduced to encrypt authentication information
using unauthenticated AES-CFB.
There's a few things I don't like about that commit, but suffice to
say that heat/engine/auth.py should probably not be a place where
symmetric crypto decisions are made.
I've been told that there's a new public API for symmetric encryption,
SymmetricCrypto that lives in openstack/common/crypto/utils.py:
https://github.com/openstack/oslo-
incubator/blob/master/openstack/common/crypto/utils.py#L99
I think that also gets a few things wrong, but at the very least Heat
should use a centralized thing for encrypting stuff.
(I'd love to complain about and work on SymmetricCrypto too, but
that's not this ticket :)
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1251647/+subscriptions
More information about the Openstack-security
mailing list