Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Brian Rosmaita]

On Fri, Sep 29, 2017 at 1:38 PM, Jeremy Stanley  wrote:
> On 2017-09-29 12:31:21 -0400 (-0400), Jay Pipes wrote:
> [...]
>> Can someone please inform me how changing the checksum algorithm
>> for this operation to SHA-1 or something else would improve the
>> security of this operation?
> [...]
[...]
> The simpler explanation is that people hear "MD5 is broken" and so
> anyone writing policies and auditing security/compliance just tells
> you it's verboten. That, and uninformed alarmists who freak out when
> they find uses of MD5 and think that means the software will be
> hax0red the moment you put it into production. Sometimes it's easier
> to just go through the pain of replacing unpopular cryptographic
> primitives so you can avoid having this same discussion over and
> over with people whose eyes glaze over as soon as you start to try
> and tell them anything which disagrees with their paranoid
> sensationalist media experts.

This is the primary motivator.  Regardless of whether it makes sense
for the particular use of md5 in Glance or not, operators have to fill
in checkboxes in security compliance documentation that will be
consumed by increasingly less-well-informed people.  This way, rather
than try to justify Glance's use of md5 in 140 chars or less (assuming
there even is a "comment" field), operators can just answer "no" to
the question "does the system rely on md5" and be done with it.  I
think that's why the general reaction to this spec is a sigh of relief
that Glance is eliminating a dependency on md5.

Additionally, there's a use case of locating the same image in
different regions served by different Glance installations.  The
'checksum' property was indexed back in Folsom or Grizzly so that a
user could do an image-list call filtered by a particular checksum
value to find the same image they were using in one region in another
region.  But with an md5 checksum, we really can't recommend this
strategy of locating an image.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Luke Hinds]

On Fri, Sep 29, 2017 at 5:31 PM, Jay Pipes  wrote:

> On 09/29/2017 06:19 AM, Luke Hinds wrote:
>
>> On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
>> scott.mcclym...@verizonwireless.com > nwireless.com>> wrote:
>>
>> Hey All,
>>
>> I've got a spec up for a change I want to implement in Glance for
>> Queens to enhance the current checksum (md5) functionality with a
>> stronger hash algorithm. I'm going to do this in such a way that it
>> is easily altered in the future for new algorithms as they are
>> released.  I'd appreciate it if someone on the security team could
>> look it over and comment. Thanks.
>>
>> Review: https://review.openstack.org/#/c/507568/
>> 
>>
>>
>> +1 , thanks for undertaking this work. Strong support from the security
>> projects side.
>>
>> Would be good to see all projects move on from MD5 use now, its been
>> known to be insecure for sometime and clashes with FIPS-142 compliance.
>>
>
> In the case of Glance's use of MD5 for checksums, it is used to identify
> whether a particular array of bytes that represents an image has changed.
> The client uploads a bytestream to Glance, which does a rolling checksum of
> that byte data for each chunk received and writes the checksum to the
> database upon completion of the upload.
>
> That checksum number never changes since Glance images are immutable once
> uploaded.
>
> Can someone please inform me how changing the checksum algorithm for this
> operation to SHA-1 or something else would improve the security of this
> operation?
>


As I understand it, MD5 has been proven to be susceptible to collision
attacks, so its possible to generate the same hash from two blobs. The same
is also true for SHA-1, and can't be out ruled this may also be the case
for strong cryptos (SHA 256, 512 etc) in the future.


> As someone who recently had to go through thousands of (mostly bogus)
> entries in a spreadsheet generated from the Bandit "security scanning
> tool", I'd like to ask that we approach these kinds of things with some
> common sense and not just as a checking-the-box-off activity.
>

understood, you may already know this, but you can make a # nosec on the
line using hashlib.md5 and Bandit will not false positive. It might seem a
pain it reporting on md5, but it has highlighted a few occurrences of
people using weak hashes for salting , integrity checks etc.

>
> md5 is used in a number of places in many OpenStack services, and often
> those uses have nothing to do with cryptography. Rather, in those cases md5
> is used as a simple mechanism to generate a hash from a name. [1]
>
> All I ask is that we don't have an army of people going out and replacing
> blindly all uses of the MD5 algorithm everywhere, since (as I learned
> recently) that will just lead to a lot of busywork for little gain.
>

I do see you're point, some network protocols also use md5 purely for error
checking, not computing. In OpenStack swift uses MD5 for a non security
case, and its no simple swap out for them.

If anything it would be ideal to insure anyone implementing new
functionality, not use md5 and if anyone can easily swap out uses of md5 /
sha1 then its worth doing, as there may be an edge case not yet seen that
it opens up a hole.


>
> Best,
> -jay
>
> [1] https://github.com/openstack/nova/blob/master/nova/utils.py#L1067
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Jeremy Stanley]

On 2017-09-29 12:31:21 -0400 (-0400), Jay Pipes wrote:
[...]
> Can someone please inform me how changing the checksum algorithm
> for this operation to SHA-1 or something else would improve the
> security of this operation?
[...]

The current known flaws in MD5 pretty much boil down to this one
potential exploit scenario:

As a devious malcontent, I construct two images which are specially
engineered to result in the same MD5 checksum (this part alone may
not even be possible depending on the nature of the image protocol
and its metadata headers, but let's leave that aside for the
moment). One image is benign, and the other is malicious in nature.

I upload the benign image and get people to trust it. Later I
(again, exercise left to the imagination of the reader... leveraging
optional external image locations functionality in Glance?)
substitute the malicious image and people begin booting it instead,
continuing to trust it because it has the same checksum.

This example is, of course, contrived and riddled with gaping plot
holes; it would never make for a mystery bestseller. Who or what is
even validating these checksums to begin with? If you can get people
to run images you've uploaded, odds are it's game over anyway
regardless of whether or not the checksums change, and the known
avenues for that involve either an inside job or dangerous
configuration options.

The simpler explanation is that people hear "MD5 is broken" and so
anyone writing policies and auditing security/compliance just tells
you it's verboten. That, and uninformed alarmists who freak out when
they find uses of MD5 and think that means the software will be
hax0red the moment you put it into production. Sometimes it's easier
to just go through the pain of replacing unpopular cryptographic
primitives so you can avoid having this same discussion over and
over with people whose eyes glaze over as soon as you start to try
and tell them anything which disagrees with their paranoid
sensationalist media experts.

Oh, also, SHA-1 isn't much better in this regard.
-- 
Jeremy Stanley


signature.asc
Description: Digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Jay Pipes]

On 09/29/2017 06:19 AM, Luke Hinds wrote:
On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott 
> wrote:


Hey All,

I've got a spec up for a change I want to implement in Glance for
Queens to enhance the current checksum (md5) functionality with a
stronger hash algorithm. I'm going to do this in such a way that it
is easily altered in the future for new algorithms as they are
released.  I'd appreciate it if someone on the security team could
look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/



+1 , thanks for undertaking this work. Strong support from the security 
projects side.


Would be good to see all projects move on from MD5 use now, its been 
known to be insecure for sometime and clashes with FIPS-142 compliance.


In the case of Glance's use of MD5 for checksums, it is used to identify 
whether a particular array of bytes that represents an image has 
changed. The client uploads a bytestream to Glance, which does a rolling 
checksum of that byte data for each chunk received and writes the 
checksum to the database upon completion of the upload.


That checksum number never changes since Glance images are immutable 
once uploaded.


Can someone please inform me how changing the checksum algorithm for 
this operation to SHA-1 or something else would improve the security of 
this operation?


As someone who recently had to go through thousands of (mostly bogus) 
entries in a spreadsheet generated from the Bandit "security scanning 
tool", I'd like to ask that we approach these kinds of things with some 
common sense and not just as a checking-the-box-off activity.


md5 is used in a number of places in many OpenStack services, and often 
those uses have nothing to do with cryptography. Rather, in those cases 
md5 is used as a simple mechanism to generate a hash from a name. [1]


All I ask is that we don't have an army of people going out and 
replacing blindly all uses of the MD5 algorithm everywhere, since (as I 
learned recently) that will just lead to a lot of busywork for little gain.


Best,
-jay

[1] https://github.com/openstack/nova/blob/master/nova/utils.py#L1067


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Adam Heczko]

Thanks Scott, makes sense.

On Fri, Sep 29, 2017 at 12:19 PM, Luke Hinds  wrote:

>
>
> On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott  verizonwireless.com> wrote:
>
>> Hey All,
>>
>> I've got a spec up for a change I want to implement in Glance for Queens
>> to enhance the current checksum (md5) functionality with a stronger hash
>> algorithm. I'm going to do this in such a way that it is easily altered in
>> the future for new algorithms as they are released.  I'd appreciate it if
>> someone on the security team could look it over and comment. Thanks.
>>
>> Review: https://review.openstack.org/#/c/507568/
>>
>>
> +1 , thanks for undertaking this work. Strong support from the security
> projects side.
>
> Would be good to see all projects move on from MD5 use now, its been known
> to be insecure for sometime and clashes with FIPS-142 compliance.
>
>
>
>> --
>> Scott McClymont
>> Sr. Software Engineer
>> Verizon Cloud Platform
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[Luke Hinds]

On Thu, Sep 28, 2017 at 8:38 PM, McClymont Jr, Scott <
scott.mcclym...@verizonwireless.com> wrote:

> Hey All,
>
> I've got a spec up for a change I want to implement in Glance for Queens
> to enhance the current checksum (md5) functionality with a stronger hash
> algorithm. I'm going to do this in such a way that it is easily altered in
> the future for new algorithms as they are released.  I'd appreciate it if
> someone on the security team could look it over and comment. Thanks.
>
> Review: https://review.openstack.org/#/c/507568/
>
>
+1 , thanks for undertaking this work. Strong support from the security
projects side.

Would be good to see all projects move on from MD5 use now, its been known
to be insecure for sometime and clashes with FIPS-142 compliance.



> --
> Scott McClymont
> Sr. Software Engineer
> Verizon Cloud Platform
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Glance][Security] Secure Hash Algorithm Spec

[McClymont Jr, Scott]

Hey All,

I've got a spec up for a change I want to implement in Glance for Queens to
enhance the current checksum (md5) functionality with a stronger hash
algorithm. I'm going to do this in such a way that it is easily altered in
the future for new algorithms as they are released.  I'd appreciate it if
someone on the security team could look it over and comment. Thanks.

Review: https://review.openstack.org/#/c/507568/

-- 
Scott McClymont
Sr. Software Engineer
Verizon Cloud Platform
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev