yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1427485

Title:
  Fernet tokens contain a version identifier that is not integrity
  verified

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Fernet tokens all start with a plaintext string of either "F00" or
  "F01" indicating either "version 0" (normal unscoped and scoped
  tokens) or "version 1" (trust-based tokens). That versioning lies
  outside of the integrity-verified portion of the token, and is thus
  susceptible to manipulation by end users.

  With only two token versions, this doesn't present any issues that I'm
  aware of, but to harden ourselves against the future, we should move
  that versioning information into the integrity-verified portion of the
  message. Otherwise, we carry of risk of future implementations
  inadvertently introducing privilege escalation vulnerabilities, a
  means for end users to disable authorization checks by supplying older
  versions, etc, etc.

  In addition, the format prefix was originally intended to make it
  easier for remote clients (keystonemiddleware.auth_token) to parse
  apart and validate tokens without going back to talk to Keystone.
  Since that's not the plan here (Fernet tokens must be validated with
  Keystone, since that's the only place where the encryption keys are
  accessible), the entire format prefix ("F00" / "F01") can be dropped,
  as long as Keystone can still validate the tokens it's issuing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1427485/+subscriptions