yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1428717] [NEW] Fernet tokens have redundant creation timestamps

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1428717@xxxxxxxxxxxxxxxxxx>
Date: Thu, 05 Mar 2015 16:20:43 -0000
Reply-to: Bug 1428717 <1428717@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The creation time of a Fernet token is actually encoded into the token
twice. One of these should be removed.

In the payload of every fernet token, we insert the creation time as an
integer timestamp. That timestamp gets encrypted along with the rest of
the payload.

In addition, the Fernet format itself encodes a timestamp outside the
payload. See the 64-bit timestamp in the specification:

  https://github.com/fernet/spec/blob/master/Spec.md#token-format

The application-controlled timestamp should be removed in favor of
parsing the creation timestamp out. It requires some bitwise operations,
but this library demonstrates how easy the timestamp is to extract
without having the Fernet encryption key:

  https://pypi.python.org/pypi/keyless_fernet

** Affects: keystone
     Importance: Medium
     Assignee: Dolph Mathews (dolph)
         Status: New


** Tags: fernet

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1428717

Title:
  Fernet tokens have redundant creation timestamps

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The creation time of a Fernet token is actually encoded into the token
  twice. One of these should be removed.

  In the payload of every fernet token, we insert the creation time as
  an integer timestamp. That timestamp gets encrypted along with the
  rest of the payload.

  In addition, the Fernet format itself encodes a timestamp outside the
  payload. See the 64-bit timestamp in the specification:

    https://github.com/fernet/spec/blob/master/Spec.md#token-format

  The application-controlled timestamp should be removed in favor of
  parsing the creation timestamp out. It requires some bitwise
  operations, but this library demonstrates how easy the timestamp is to
  extract without having the Fernet encryption key:

    https://pypi.python.org/pypi/keyless_fernet

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1428717/+subscriptions

Follow ups

[Bug 1428717] Re: Fernet tokens have redundant creation timestamps
From: Thierry Carrez, 2015-03-19
[Bug 1428717] [NEW] Fernet tokens have redundant creation timestamps
From: Dolph Mathews, 2015-03-05

References

[Bug 1428717] [NEW] Fernet tokens have redundant creation timestamps
From: Dolph Mathews, 2015-03-05