[Openstack-security] Python Crypto libs Trustability

Darren J Moffat Darren.Moffat at Oracle.COM
Fri Jun 6 13:34:32 UTC 2014 


On 06/05/14 23:32, Jeffrey Walton wrote:
> On Thu, Jun 5, 2014 at 3:58 PM, Travis McPeak
> <Travis_McPeak at symantec.com> wrote:
>> Hi all,
>>
>> I¹ve been thinking about some of the crypto libraries that are being used
>> in OpenStack projects, specifically how much confidence should we have in
>> them.
> Yes, this is a governance issue. If the third-party library does not
> meet standards, then it should not be used in OpenStack.
>
> Cloud providers also have a governance issue: OpenStack must meet the
> provider's standards, else the provider cannot use OpenStack.

Some of those Cloud providers will need to be able to make statements 
about FIPS 140 validation of all crypto used in the infrastructure. 
While the hosted customer applications will usually not be directly 
using the crypto from OpenStack they may be depending on it (eg if 
OpenStack is providing IPsec VPN services between the VMs).

> One of the first problems seems to be the lack of a single OpenStack
> crypto wrapper. That is, there should be an OpenStack.Crypto that
> provides all the primitives. All source code should call through
> OpenStack.Crypto. Instead, code sometimes calls into other libraries
> and sometimes rolls its own stuff.
>
> What OpenStack.Crypto wraps or implements is a different issue. But
> its a good first step to ensure calls are being funneled into audited
> code.

Providing that OpenStack.Crypto does no crypto algorithm implementation 
and does not directly do key management or key generation then it should 
be possible to depend on a FIPS 140 validation of the underlying 
provider (all the way back to something like OpenSSL's libcrypto if 
possible).

The other advantage of using something like OpenSSL as the actual 
cryptographic algorithm implementation is that it provides CPU optimised 
versions of the common ciphers eg using AES-NI or the SPARC T4 
instructions for AES, SHA256 etc.

It may also be useful if OpenStack.Crypto code be a thin layer on top of 
PKCS#11 - though I'd hope that most of the cases where OpenStack needs 
key management can be dealt with via projects like Barbican providing it 
as a service.


-- 
Darren J Moffat

More information about the Openstack-security mailing list