yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #29079
[Bug 1428717] [NEW] Fernet tokens have redundant creation timestamps
Public bug reported:
The creation time of a Fernet token is actually encoded into the token
twice. One of these should be removed.
In the payload of every fernet token, we insert the creation time as an
integer timestamp. That timestamp gets encrypted along with the rest of
the payload.
In addition, the Fernet format itself encodes a timestamp outside the
payload. See the 64-bit timestamp in the specification:
https://github.com/fernet/spec/blob/master/Spec.md#token-format
The application-controlled timestamp should be removed in favor of
parsing the creation timestamp out. It requires some bitwise operations,
but this library demonstrates how easy the timestamp is to extract
without having the Fernet encryption key:
https://pypi.python.org/pypi/keyless_fernet
** Affects: keystone
Importance: Medium
Assignee: Dolph Mathews (dolph)
Status: New
** Tags: fernet
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1428717
Title:
Fernet tokens have redundant creation timestamps
Status in OpenStack Identity (Keystone):
New
Bug description:
The creation time of a Fernet token is actually encoded into the token
twice. One of these should be removed.
In the payload of every fernet token, we insert the creation time as
an integer timestamp. That timestamp gets encrypted along with the
rest of the payload.
In addition, the Fernet format itself encodes a timestamp outside the
payload. See the 64-bit timestamp in the specification:
https://github.com/fernet/spec/blob/master/Spec.md#token-format
The application-controlled timestamp should be removed in favor of
parsing the creation timestamp out. It requires some bitwise
operations, but this library demonstrates how easy the timestamp is to
extract without having the Fernet encryption key:
https://pypi.python.org/pypi/keyless_fernet
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1428717/+subscriptions
Follow ups
References