yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1428717] Re: Fernet tokens have redundant creation timestamps

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 19 Mar 2015 14:20:45 -0000
Reply-to: Bug 1428717 <1428717@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => kilo-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1428717

Title:
  Fernet tokens have redundant creation timestamps

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The creation time of a Fernet token is actually encoded into the token
  twice. One of these should be removed.

  In the payload of every fernet token, we insert the creation time as
  an integer timestamp. That timestamp gets encrypted along with the
  rest of the payload.

  In addition, the Fernet format itself encodes a timestamp outside the
  payload. See the 64-bit timestamp in the specification:

    https://github.com/fernet/spec/blob/master/Spec.md#token-format

  The application-controlled timestamp should be removed in favor of
  parsing the creation timestamp out. It requires some bitwise
  operations, but this library demonstrates how easy the timestamp is to
  extract without having the Fernet encryption key:

    https://pypi.python.org/pypi/keyless_fernet

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1428717/+subscriptions

References

[Bug 1428717] [NEW] Fernet tokens have redundant creation timestamps
From: Dolph Mathews, 2015-03-05