On 02/10/2014 09:19 AM, Abu Shohel Ahmed wrote: > Hi, > > Currently, Keystone Token provider (both PKI and UUID) relies on > uuid.uuid4 to generate token which > is used as an authentication token during its lifetime. Not true for PKI tokens, only UUID. PKI tokens are crypto signd (CMS), and then their ID is the MD5 hash of the signed document. And a new format it in the works... > > def _get_token_id(self, token_data): > return uuid.uuid4().hex > > My question is how secure is UUID4 token. According to RFC 4122 > > "Do not assume that UUIDs are hard to guess; they should not be used > as security capabilities (identifiers whose mere possession grants > access)" > > The implementation of UUID4 relies on os.urandom() which provides > pretty good randomness. However, there are still > concerns about its randomness. See the thread here > http://stackoverflow.com/questions/817882/unique-session-id-in-python. > > Should it be a security bug for keystone ? If it is, both PKI and UUID > token generation process is vulnerable. > > ...shohel > > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140210/e2843e88/attachment.html>