settingsLogin | Registersettings

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

0 votes

On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
scott.mcclymont@verizonwireless.com> wrote:

Hey All,

I've got a spec up for a change I want to implement in Glance for Queens
to enhance the current checksum (md5) functionality with a stronger hash
algorithm. I'm going to do this in such a way that it is easily altered in
the future for new algorithms as they are released. I'd appreciate it if
someone on the security team could look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/

+1 , thanks for undertaking this work. Strong support from the security
projects side.

Would be good to see all projects move on from MD5 use now, its been known
to be insecure for sometime and clashes with FIPS-142 compliance.

--
Scott McClymont
Sr. Software Engineer
Verizon Cloud Platform


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Sep 30, 2017 in openstack-dev by Luke_Hinds (1,500 points)   1

5 Responses

0 votes

Thanks Scott, makes sense.

On Fri, Sep 29, 2017 at 12:19 PM, Luke Hinds lhinds@redhat.com wrote:

On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <scott.mcclymont@
verizonwireless.com> wrote:

Hey All,

I've got a spec up for a change I want to implement in Glance for Queens
to enhance the current checksum (md5) functionality with a stronger hash
algorithm. I'm going to do this in such a way that it is easily altered in
the future for new algorithms as they are released. I'd appreciate it if
someone on the security team could look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/

+1 , thanks for undertaking this work. Strong support from the security
projects side.

Would be good to see all projects move on from MD5 use now, its been known
to be insecure for sometime and clashes with FIPS-142 compliance.

--
Scott McClymont
Sr. Software Engineer
Verizon Cloud Platform



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscrib
e
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Adam Heczko
Security Engineer @ Mirantis Inc.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 29, 2017 by Adam_Heczko (1,860 points)   1
0 votes

On 09/29/2017 06:19 AM, Luke Hinds wrote:
On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott
<scott.mcclymont@verizonwireless.com
scott.mcclymont@verizonwireless.com> wrote:

Hey All,

I've got a spec up for a change I want to implement in Glance for
Queens to enhance the current checksum (md5) functionality with a
stronger hash algorithm. I'm going to do this in such a way that it
is easily altered in the future for new algorithms as they are
released.  I'd appreciate it if someone on the security team could
look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/
<https://review.openstack.org/#/c/507568/>

+1 , thanks for undertaking this work. Strong support from the security
projects side.

Would be good to see all projects move on from MD5 use now, its been
known to be insecure for sometime and clashes with FIPS-142 compliance.

In the case of Glance's use of MD5 for checksums, it is used to identify
whether a particular array of bytes that represents an image has
changed. The client uploads a bytestream to Glance, which does a rolling
checksum of that byte data for each chunk received and writes the
checksum to the database upon completion of the upload.

That checksum number never changes since Glance images are immutable
once uploaded.

Can someone please inform me how changing the checksum algorithm for
this operation to SHA-1 or something else would improve the security of
this operation?

As someone who recently had to go through thousands of (mostly bogus)
entries in a spreadsheet generated from the Bandit "security scanning
tool", I'd like to ask that we approach these kinds of things with some
common sense and not just as a checking-the-box-off activity.

md5 is used in a number of places in many OpenStack services, and often
those uses have nothing to do with cryptography. Rather, in those cases
md5 is used as a simple mechanism to generate a hash from a name. [1]

All I ask is that we don't have an army of people going out and
replacing blindly all uses of the MD5 algorithm everywhere, since (as I
learned recently) that will just lead to a lot of busywork for little gain.

Best,
-jay

[1] https://github.com/openstack/nova/blob/master/nova/utils.py#L1067


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 29, 2017 by Jay_Pipes (59,760 points)   3 11 14
0 votes

On 2017-09-29 12:31:21 -0400 (-0400), Jay Pipes wrote:
[...]
Can someone please inform me how changing the checksum algorithm
for this operation to SHA-1 or something else would improve the
security of this operation?
[...]

The current known flaws in MD5 pretty much boil down to this one
potential exploit scenario:

As a devious malcontent, I construct two images which are specially
engineered to result in the same MD5 checksum (this part alone may
not even be possible depending on the nature of the image protocol
and its metadata headers, but let's leave that aside for the
moment). One image is benign, and the other is malicious in nature.

I upload the benign image and get people to trust it. Later I
(again, exercise left to the imagination of the reader... leveraging
optional external image locations functionality in Glance?)
substitute the malicious image and people begin booting it instead,
continuing to trust it because it has the same checksum.

This example is, of course, contrived and riddled with gaping plot
holes; it would never make for a mystery bestseller. Who or what is
even validating these checksums to begin with? If you can get people
to run images you've uploaded, odds are it's game over anyway
regardless of whether or not the checksums change, and the known
avenues for that involve either an inside job or dangerous
configuration options.

The simpler explanation is that people hear "MD5 is broken" and so
anyone writing policies and auditing security/compliance just tells
you it's verboten. That, and uninformed alarmists who freak out when
they find uses of MD5 and think that means the software will be
hax0red the moment you put it into production. Sometimes it's easier
to just go through the pain of replacing unpopular cryptographic
primitives so you can avoid having this same discussion over and
over with people whose eyes glaze over as soon as you start to try
and tell them anything which disagrees with their paranoid
sensationalist media experts.

Oh, also, SHA-1 isn't much better in this regard.
--
Jeremy Stanley


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

responded Sep 29, 2017 by Jeremy_Stanley (56,700 points)   3 5 7
0 votes

On Fri, Sep 29, 2017 at 5:31 PM, Jay Pipes jaypipes@gmail.com wrote:

On 09/29/2017 06:19 AM, Luke Hinds wrote:

On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
scott.mcclymont@verizonwireless.com <mailto:scott.mcclymont@verizo
nwireless.com>> wrote:

Hey All,

I've got a spec up for a change I want to implement in Glance for
Queens to enhance the current checksum (md5) functionality with a
stronger hash algorithm. I'm going to do this in such a way that it
is easily altered in the future for new algorithms as they are
released.  I'd appreciate it if someone on the security team could
look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/
<https://review.openstack.org/#/c/507568/>

+1 , thanks for undertaking this work. Strong support from the security
projects side.

Would be good to see all projects move on from MD5 use now, its been
known to be insecure for sometime and clashes with FIPS-142 compliance.

In the case of Glance's use of MD5 for checksums, it is used to identify
whether a particular array of bytes that represents an image has changed.
The client uploads a bytestream to Glance, which does a rolling checksum of
that byte data for each chunk received and writes the checksum to the
database upon completion of the upload.

That checksum number never changes since Glance images are immutable once
uploaded.

Can someone please inform me how changing the checksum algorithm for this
operation to SHA-1 or something else would improve the security of this
operation?

As I understand it, MD5 has been proven to be susceptible to collision
attacks, so its possible to generate the same hash from two blobs. The same
is also true for SHA-1, and can't be out ruled this may also be the case
for strong cryptos (SHA 256, 512 etc) in the future.

As someone who recently had to go through thousands of (mostly bogus)
entries in a spreadsheet generated from the Bandit "security scanning
tool", I'd like to ask that we approach these kinds of things with some
common sense and not just as a checking-the-box-off activity.

understood, you may already know this, but you can make a # nosec on the
line using hashlib.md5 and Bandit will not false positive. It might seem a
pain it reporting on md5, but it has highlighted a few occurrences of
people using weak hashes for salting , integrity checks etc.

md5 is used in a number of places in many OpenStack services, and often
those uses have nothing to do with cryptography. Rather, in those cases md5
is used as a simple mechanism to generate a hash from a name. [1]

All I ask is that we don't have an army of people going out and replacing
blindly all uses of the MD5 algorithm everywhere, since (as I learned
recently) that will just lead to a lot of busywork for little gain.

I do see you're point, some network protocols also use md5 purely for error
checking, not computing. In OpenStack swift uses MD5 for a non security
case, and its no simple swap out for them.

If anything it would be ideal to insure anyone implementing new
functionality, not use md5 and if anyone can easily swap out uses of md5 /
sha1 then its worth doing, as there may be an edge case not yet seen that
it opens up a hole.

Best,
-jay

[1] https://github.com/openstack/nova/blob/master/nova/utils.py#L1067


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhinds@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 29, 2017 by Luke_Hinds (1,500 points)   1
0 votes

On Fri, Sep 29, 2017 at 1:38 PM, Jeremy Stanley fungi@yuggoth.org wrote:
On 2017-09-29 12:31:21 -0400 (-0400), Jay Pipes wrote:
[...]

Can someone please inform me how changing the checksum algorithm
for this operation to SHA-1 or something else would improve the
security of this operation?
[...]
[...]
The simpler explanation is that people hear "MD5 is broken" and so
anyone writing policies and auditing security/compliance just tells
you it's verboten. That, and uninformed alarmists who freak out when
they find uses of MD5 and think that means the software will be
hax0red the moment you put it into production. Sometimes it's easier
to just go through the pain of replacing unpopular cryptographic
primitives so you can avoid having this same discussion over and
over with people whose eyes glaze over as soon as you start to try
and tell them anything which disagrees with their paranoid
sensationalist media experts.

This is the primary motivator. Regardless of whether it makes sense
for the particular use of md5 in Glance or not, operators have to fill
in checkboxes in security compliance documentation that will be
consumed by increasingly less-well-informed people. This way, rather
than try to justify Glance's use of md5 in 140 chars or less (assuming
there even is a "comment" field), operators can just answer "no" to
the question "does the system rely on md5" and be done with it. I
think that's why the general reaction to this spec is a sigh of relief
that Glance is eliminating a dependency on md5.

Additionally, there's a use case of locating the same image in
different regions served by different Glance installations. The
'checksum' property was indexed back in Folsom or Grizzly so that a
user could do an image-list call filtered by a particular checksum
value to find the same image they were using in one region in another
region. But with an md5 checksum, we really can't recommend this
strategy of locating an image.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 30, 2017 by rosmaita.fossdev_at_ (4,180 points)   1 2 2
...