[Openstack-security] [Bug 1174499] Re: Keystone token hashing is MD5

OpenStack Infra 1174499 at bugs.launchpad.net
Wed May 28 05:11:44 UTC 2014 

Reviewed:  https://review.openstack.org/80398
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=22db04bb6bee3ab15a90510bb6c1780d2a254300
Submitter: Jenkins
Branch:    master

commit 22db04bb6bee3ab15a90510bb6c1780d2a254300
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Tue May 6 19:36:59 2014 -0500

    auth_token middleware hashes tokens with configurable algorithm
    
    The auth_token middleware always hashed PKI Tokens with MD5. This
    change makes it so that PKI tokens can be hashed with SHA256 or any
    other algorithm supported by hashlib.new(). This is for security
    hardening.
    
    auth_token has a new config option 'hash_algorithms' that is set
    to the list of algorithms that will be used for hashing PKI tokens.
    This will typically be set to a single hash algorithm which must
    match the hash algorithm set in Keystone. Otherwise the tokens
    in the revocation list will not match, leading to revoked tokens
    being still usable.
    
    During a transition from one algorithm to another,
    'hash_algorithms' is set to both the new algorithm and the old
    algorithm. Both of the hash algorithms will be used to match
    against the revocation list and cache. Once the tokens using the
    old algorithm have expired the old algorithm can be removed from
    the list.
    
    'hash_algorithms' defaults to ['md5'] for backwards compatibility.
    
    DocImpact
    SecurityImpact
    Closes-Bug: #1174499
    
    Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80


** Changed in: python-keystoneclient
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174499

Title:
  Keystone token hashing is MD5

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Identity (Keystone):
  Fix Committed
Status in OpenStack API documentation site:
  Confirmed
Status in Python client library for Keystone:
  Fix Committed

Bug description:
  https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/common/cms.py

  def cms_hash_token(token_id):
      """
  return: for ans1_token, returns the hash of the passed in token
  otherwise, returns what it was passed in.
  """
      if token_id is None:
          return None
      if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()
      else:
          return token_id

  
  MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
  Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1174499/+subscriptions

More information about the Openstack-security mailing list