Fernet tokens have redundant creation timestamps

Bug #1428717 reported by Dolph Mathews on 2015-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Dolph Mathews

Bug Description

The creation time of a Fernet token is actually encoded into the token twice. One of these should be removed.

In the payload of every fernet token, we insert the creation time as an integer timestamp. That timestamp gets encrypted along with the rest of the payload.

In addition, the Fernet format itself encodes a timestamp outside the payload. See the 64-bit timestamp in the specification:

  https://github.com/fernet/spec/blob/master/Spec.md#token-format

The application-controlled timestamp should be removed in favor of parsing the creation timestamp out. It requires some bitwise operations, but this library demonstrates how easy the timestamp is to extract without having the Fernet encryption key:

  https://pypi.python.org/pypi/keyless_fernet

Dolph Mathews (dolph) wrote :
Changed in keystone:
status: New → In Progress

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

Changed in keystone:
assignee: Dolph Mathews (dolph) → Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)
Changed in keystone:
assignee: Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)

Reviewed: https://review.openstack.org/161897
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c83f8920bf59563631673c51acd94ce1134a9852
Submitter: Jenkins
Branch: master

commit c83f8920bf59563631673c51acd94ce1134a9852
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 21:12:08 2015 +0000

    Remove redundant creation timestamp from fernet tokens

    This removes the creation timestamp from the token's payload in favor of
    extracting the token's creation timestamp from the Fernet token format
    itself.

    Change-Id: I170a07adc1fe6418dfaf2c78e1b439339f1c14ed
    Closes-Bug: 1428717

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
milestone: none → kilo-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers