Experimenting Security of Keystone
(Authentication Module of OpenStack)
Presented By
Yun Zhang, Tahmina Ahmed &
Prosunjit ...
OpenStack
• OpenStack is a cloud Software to Manage virtual infrastructures (v. cpu, v.
memory and so on) of ‘Infrastructu...
Keystone
• Keystone is an OpenStack project that provides Identity, Token, Catalog
and Policy services for use specificall...
Keystone in the Big Picture
Keystone’s Role in Launching VM
instance :

1. Client obtains token from
the Keystone
2. Clien...
Keystone Components and Operations

Token Operations:

Service Catalog Ops:

Identity Mngt Ops

1.
2.
3.
4.

1. Maintain s...
Experiment1

Resiliency of Keystone on DDOS Attack
Attack scenarios :

1. Request for generating
tokens
2. Request for a s...
Experiment1

Resiliency of Keystone on DDOS Attack
Attack Configuration
Keystone is running a VM
with following Conf:
1. V...
Experiment1

Resiliency of Keystone on DDOS Attack
Monitoring Keystone
Machine for Attack
Resiliency:
1. Finding Processin...
Experiment2

Checking Randomness of Generated
Token
• Why token randomness :
– It ensures that an attacker generated token...
Experiment2

Checking Randomness of Generated
Token
•

Experiment Synopsis :
– Generate 10000 token and
plot it with scatt...
Project Challenges

• Incomplete
documentation
Question / Comment
Upcoming SlideShare
Loading in …5
×

Security_of_openstack_keystone

760 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security_of_openstack_keystone

  1. 1. Experimenting Security of Keystone (Authentication Module of OpenStack) Presented By Yun Zhang, Tahmina Ahmed & Prosunjit Biswas UTSA
  2. 2. OpenStack • OpenStack is a cloud Software to Manage virtual infrastructures (v. cpu, v. memory and so on) of ‘Infrastructure as a service’ Cloud. • Analogous to a operating system for cloud.
  3. 3. Keystone • Keystone is an OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family Keystone
  4. 4. Keystone in the Big Picture Keystone’s Role in Launching VM instance : 1. Client obtains token from the Keystone 2. Client sends request to Nova API to launch VM instance 3. Nova API verifies token in Keystone 4. Nova requests Keystone to get all available quotas for project/user. Nova calculates amount of used resources and allows or permits operation 5. Nova API calls nova-compute via RPC to launch VM instance.
  5. 5. Keystone Components and Operations Token Operations: Service Catalog Ops: Identity Mngt Ops 1. 2. 3. 4. 1. Maintain service list and service endpoint 1. Maintaining Tenant 2. Maintaining User 3. Maintaining Role Token Generation Token Verification Token Revocation Signing Token
  6. 6. Experiment1 Resiliency of Keystone on DDOS Attack Attack scenarios : 1. Request for generating tokens 2. Request for a service catalog 3. Ask for token revocation List
  7. 7. Experiment1 Resiliency of Keystone on DDOS Attack Attack Configuration Keystone is running a VM with following Conf: 1. V.Cpu: TBD 2. V. Memeory: TBD Attack Machine conf: No. of Machine : 10 1. V. CPU : TBD 2. V. Memory: TBD
  8. 8. Experiment1 Resiliency of Keystone on DDOS Attack Monitoring Keystone Machine for Attack Resiliency: 1. Finding Processing time for each request 2. Finding memory and CPU use of the Keystone machine over time. Work Plan: 1. Develop a script that continuously monitor Keystone Machine’s Health status ( CPU utilization, memory Usage)
  9. 9. Experiment2 Checking Randomness of Generated Token • Why token randomness : – It ensures that an attacker generated token never corresponds to a valid token
  10. 10. Experiment2 Checking Randomness of Generated Token • Experiment Synopsis : – Generate 10000 token and plot it with scatterplot. – Determine in which probability two generated token are same.
  11. 11. Project Challenges • Incomplete documentation
  12. 12. Question / Comment

×