We had a recent IRC discussion about the design of Trusts and how it compares with OAuth version 1.
Continue reading
Trusts and OAuth
3
Category Archives: PKI
Trusts and Role Based Access Control for Open Stack
Bearer tokens are vulnerable to replay attacks. OK, so what are our options? Something where the user proves, via cryptography that they have the right to actually use the token. It doesn’t matter if it is X509, Kerberos, or something we cook up ourselves, it is going to resolve to proving you have the right to use that token.
If tokens must be validated by the owner, we effectively break the ability of Open Stack to hand around bearer tokens to get work done. We are going to have to get a lot of stuff right in order to keep from breaking things. Fortunately, we now have the tools to work around this, and to better secure an OpenStack system: Trusts and Role Based Access Control.
Continue reading
Multifactor Auth and Keystone
Something you have. Something you are. Something You Know. Pick Two. This is the conventional wisdom for the basis of secure authentication.
PKI tokens and Horizon
With PKI, tokens have gone from 40 byte to a varying size more than 3000 bytes long. This plus additional payload in Horizon means that they no longer fit inside an HTTP cookie. How do we deal with this?
Preauthorization in Keystone
“I’ll gladly pay you Tuesday for a Hamburger Today” –Wimpy, from the Popeye Cartoon.
Sometimes you need to authorize a service to perform an action on your behalf. Often, that action takes place long after any authentication token you can provide would have expired. Currently, the only mechanism in Keystone that people can use is to share credentials. We can do better.
Testing PKI Tokens in pre-release Folsom
There have been a few questions regarding PKI tokens and their testing in the Openstack code base. Here are the steps:
My Keystone To do list Fall 2012
Once again it is time to brain dump the things I want to make happen in the next release of Open Stack.
Testing out PKI Signed tokens in Openstack Keystone
I’ve put a fair amount of time into the Signed Tokens implementation. Now that they have been merged into the master branch of Keystone, I’d like to get some more people playing around with the feature, and see how it impacts things. Continue reading
Why Keystone Tokens are not Certificates
A Certificate Authority signs other certificates. A signing certificate can sign documents. There is a big difference. With this week’s discussion of the Flame malware and the mechanism used to sign it, I think it is important to point out why we are not using an X509 as the signed token in Keystone.
Continue reading
Token Signing with OpenSSL
While Fedora has standardised on NSS for security services, a large swath of the world uses OpenSSL. Here are roughly comparable steps to sign a message with OpenSSL as I previously posted using NSS.
Continue reading