Downloaded 50 times
Uploaded byUT, San Antonio
Security_of_openstack_keystone
This document summarizes two experiments on testing the security of Keystone, the authentication module of OpenStack. The first experiment examines Keystone's resiliency to DDoS attacks by monitoring processing time and resource usage under simulated attacks. The second analyzes the randomness of generated tokens by generating a large number of tokens and analyzing their uniqueness. Challenges mentioned include incomplete documentation of Keystone.
More Related Content
![[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...](https://cdn.slidesharecdn.com/ss_thumbnails/slideopenstack-devday2016-160414042927-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Security_of_openstack_keystone
Security_of_openstack_keystone
- 1. Experimenting Security ofKeystone (Authentication Module of OpenStack) Presented By Yun Zhang, Tahmina Ahmed & Prosunjit Biswas UTSA
- 2. OpenStack • OpenStack isa cloud Software to Manage virtual infrastructures (v. cpu, v. memory and so on) of ‘Infrastructure as a service’ Cloud. • Analogous to a operating system for cloud.
- 3. Keystone • Keystone isan OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family Keystone
- 4. Keystone in theBig Picture Keystone’s Role in Launching VM instance : 1. Client obtains token from the Keystone 2. Client sends request to Nova API to launch VM instance 3. Nova API verifies token in Keystone 4. Nova requests Keystone to get all available quotas for project/user. Nova calculates amount of used resources and allows or permits operation 5. Nova API calls nova-compute via RPC to launch VM instance.
- 5. Keystone Components andOperations Token Operations: Service Catalog Ops: Identity Mngt Ops 1. 2. 3. 4. 1. Maintain service list and service endpoint 1. Maintaining Tenant 2. Maintaining User 3. Maintaining Role Token Generation Token Verification Token Revocation Signing Token
- 6. Experiment1 Resiliency of Keystoneon DDOS Attack Attack scenarios : 1. Request for generating tokens 2. Request for a service catalog 3. Ask for token revocation List
- 7. Experiment1 Resiliency of Keystoneon DDOS Attack Attack Configuration Keystone is running a VM with following Conf: 1. V.Cpu: TBD 2. V. Memeory: TBD Attack Machine conf: No. of Machine : 10 1. V. CPU : TBD 2. V. Memory: TBD
- 8. Experiment1 Resiliency of Keystoneon DDOS Attack Monitoring Keystone Machine for Attack Resiliency: 1. Finding Processing time for each request 2. Finding memory and CPU use of the Keystone machine over time. Work Plan: 1. Develop a script that continuously monitor Keystone Machine’s Health status ( CPU utilization, memory Usage)
- 9. Experiment2 Checking Randomness ofGenerated Token • Why token randomness : – It ensures that an attacker generated token never corresponds to a valid token
- 10. Experiment2 Checking Randomness ofGenerated Token • Experiment Synopsis : – Generate 10000 token and plot it with scatterplot. – Determine in which probability two generated token are same.
- 11.
- 12.