Keystone analysis of several token generation methods _openstack

From the Keystone configuration file, we can see that the token provider currently supports four kinds of them. Token Provider:uuid, PKI, Pkiz, or Fernet

Combining source and official documentation, we use a table to illustrate the differences between them.

Provider Method of Generation | length | Encryption method Advantages Disadvantage UUID

Uuid.uuid4 (). hex,32 character, no encryption method.

The generated token is shorter in length and easy to use. URL easy to use, the way to recycle, is removed from the back end, the realization of the logic is clearer. Need to persist back-end storage, each access requires Keystone related services to authenticate. PKI Cms_sign_data (), using Base64 encoded to encode (replace unsafe characters), rough statistics over length 4602 characters, using cryptographic message Syntax (CMS) For encryption (the default way sha256). Use certificate and private key generation, can be offline verified (do not need to walk Keystone Authentication Service), length load heavy, not recommended for production deployment: Keystone-manage Pki_setup, need to use a certificate issued by a trusted CA Pkiz with PKI, Encoded using the Base64url encoding, the compression mechanism is used to reduce the length by half, and the token begins with the pkiz_. The length of the PKI has shrunk a lot, the length load is heavier, the same PKI fernet messagepacked load data, and using Crypto.encrypt (payload) encryption, a rough statistic length of 183 characters. Symmetric encryption is used to enhance security and to support periodic rotations. Design logic, the introduction of serialization, load format control, based on this encryption, the length of the PKI (Z) is shorter. Symmetric encryption algorithm, low security, from the source code to further analyze the process.

(1) First, UUID, this way is simpler, there is no special encryption, coding process, the core of the generation process, that is, Uuid.uuid4 (). Hex, generate a series of friendly sequences.

(2) PKI process, the first need to use the Keystone-manage pki_setup command to generate the CA and related token mechanism, the code is as follows:

def _get_token_id (self, token_data):
Try


Token_json = Jsonutils.dumps (Token_data, Cls=utils. Pkiencoder)
token_id = str (Cms.cms_sign_token (Token_json,
CONF.signing.certfile,
CONF.signing.keyfile)) #DEFAULT_TOKEN_DIGEST_ALGORITHM =sha256

Among them, ' Token_data ' is to obtain the user, role, endpoint, Catlog and other information collection, and the most important statement is the CMS using the signature generation token process: Cms_sign_token, using the default sha256 method encryption, The process of processing is used to read and process data,

Process = subprocess. Popen ([' OpenSSL ', ' cms ', '-sign ',
'-signer ', Signing_cert_file_name,
'-inkey ', Signing_key_file_name,
'-outform ', ' PEM ',
'-nosmimecap ', '-nodetach ',
'-nocerts ', '-noattr ',

'-md ', message_digest,],
Stdin=subprocess. PIPE,
Stdout=subprocess. PIPE,
Stderr=subprocess. PIPE,
Close_fds=true)

Finally output, err = process.communicate (data) generates TOKEN-ID, this process involves OpenSSL-related cryptographic techniques, again without further elaboration. We just need to know the approximate process of this build.

(3) Pkiz's token generation process, similar to PKI, is based on its compression, the core logic is as follows:

def _get_token_id (self, token_data):
Try


Token_json = Jsonutils.dumps (Token_data, Cls=utils. Pkiencoder)
token_id = str (cms.pkiz_sign (Token_json,
CONF.signing.certfile,
CONF.signing.keyfile))

Unlike PKI, the process of cms.pkiz_sign is used to look further at this process,

def pkiz_sign (text,
Signing_cert_file_name,
Signing_key_file_name,
Compression_level=6,
Message_digest=default_token_digest_algorithm):
Signed = Cms_sign_data (text,


Signing_cert_file_name,
Signing_key_file_name,
Pkiz_cms_form,
Message_digest=message_digest)

compressed = Zlib.compress (Signed, Compression_level)
encoded = Pkiz_prefix + Base64.urlsafe_b64encode (#PKIZ_PREFIX =pkiz_
compressed). Decode (' Utf-8 ')
return encoded

Based on the original PKI, ZIIB compression is introduced and pkiz_ is used as the beginning of token.

(4) Fernet technology, but also need to first use the command keystone-manage Fernet_setup generate the necessary token information, but it has 0, 1 version of the distinction, and can specify the number of versions, default is no more than 3.

(Guess this is to improve security, and polling substitution related) Fernet's token-id generation process, and parameter scope has a great relationship, its core code, support project mode, domain mode, modeless, etc., the processing method is slightly different, Therefore, the Token logic of Fernet has a great relationship with the user's project and domain, and the random factors of token-id generation are reduced. We analyze them in Projec mode.

Payload = federatedprojectscopedpayload.assemble (
    user_id,
    methods,
    project_id,
    expires_at
    , Audit_ids,
    Federated_info)

Versioned_payload = (version,) + payload
serialized_payload = msgpack.packb (versioned_payload)
token = Self.pack (Serialized_payload)

From the above code, visible first is the load data payload processing, assembly process, (should be a number of neo-Confucianism design ...) ）

b_user_id = Cls.attempt_convert_uuid_hex_to_bytes (user_id)

             #user_id Pass in the front u ' b8aff9260dba489a831300630da4079f '-> after the UUID (' b8aff926-0dba-489a-8313-00630da4079f ')
methods = The Auth_plugins.convert_method_list_to_integer (methods) list corresponds to the method of an int 2*int (methods)
b_project_id = Cls.attempt_   Convert_uuid_hex_to_bytes (project_id)
expires_at_int = Cls._convert_time_string_to_int (expires_at) The integer form of the expiration time represents the
B_audit_ids = List (provider.random_urlsafe_str_to_bytes, 	 audit_ IDS)) Audit is a list and is generated with a random binary

The assembly process Returns a list, further composing the load with version, and then encrypts Crypto.encrypt (payload). Rstrip (' = '), and then encode and return to Token-id.

Through the above four kinds of token generation way analysis, visible each way has advantages and disadvantages, if you want to less and keystone interaction, reduce authentication request bandwidth, you can use PKI, Pkiz, Fernet Way, and the logic of these several ways are different, involving the security of encryption methods, The authority of the CA, which requires further consideration, the UUID is the default installation method for the current version of Keystone and is simple to use, except that there is a need to interact with keytone each time the request token. In short, their existence has its own advantages and shortcomings.