Public bug reported: The creation time of a Fernet token is actually encoded into the token twice. One of these should be removed.
In the payload of every fernet token, we insert the creation time as an integer timestamp. That timestamp gets encrypted along with the rest of the payload. In addition, the Fernet format itself encodes a timestamp outside the payload. See the 64-bit timestamp in the specification: https://github.com/fernet/spec/blob/master/Spec.md#token-format The application-controlled timestamp should be removed in favor of parsing the creation timestamp out. It requires some bitwise operations, but this library demonstrates how easy the timestamp is to extract without having the Fernet encryption key: https://pypi.python.org/pypi/keyless_fernet ** Affects: keystone Importance: Medium Assignee: Dolph Mathews (dolph) Status: New ** Tags: fernet -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1428717 Title: Fernet tokens have redundant creation timestamps Status in OpenStack Identity (Keystone): New Bug description: The creation time of a Fernet token is actually encoded into the token twice. One of these should be removed. In the payload of every fernet token, we insert the creation time as an integer timestamp. That timestamp gets encrypted along with the rest of the payload. In addition, the Fernet format itself encodes a timestamp outside the payload. See the 64-bit timestamp in the specification: https://github.com/fernet/spec/blob/master/Spec.md#token-format The application-controlled timestamp should be removed in favor of parsing the creation timestamp out. It requires some bitwise operations, but this library demonstrates how easy the timestamp is to extract without having the Fernet encryption key: https://pypi.python.org/pypi/keyless_fernet To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1428717/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp