Add Multifernet.rotate method

[derwolfe]

This addresses #3882.

Adds a rotate(msgs, ttl) method to Multifernet to make it a easier to re-encrypt old tokens under a new primary key.

Thanks!

[derwolfe]

I just realized that there should be some documentation for this as well.

[reaperhulk]

This assert would be true even if the rotation didn't occur because you're calling mf1.encrypt(plaintext) again.

[derwolfe]

whoops - I intended to reuse mf1_ciphertext instead of encrypting it again.

[alex]

Why does this work on lists of messages? No other fernet APIs do.

[derwolfe]

The main use case I was targeting was rotating an entire set of secrets from one key to another. That said, this could just operate on a single token, and we could leave it up to the consumer to handle larger groups. @alex is that what you'd prefer?

[alex]

Yes, I would :-)

…

On Fri, Oct 13, 2017 at 9:15 AM, Chris Wolfe ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In src/cryptography/fernet.py <#3979 (comment)>: > @@ -134,6 +134,9 @@ def __init__(self, fernets): def encrypt(self, msg): return self._fernets[0].encrypt(msg) + def rotate(self, msgs, ttl=None): + return [self.encrypt(self.decrypt(m, ttl)) for m in msgs] The main use case I was targeting was rotating an entire set of secrets from one key to another. That said, this could just operate on a single token, and we could leave it up to the consumer to handle larger groups. @alex <https://github.com/alex> is that what you'd prefer? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3979 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAADBOkW5lKFVR6HHjsyaFxDHSIQp9crks5sr2JYgaJpZM4P33Mm> .

-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6

[reaperhulk]

Needs a .. versionadded:: 2.2

[reaperhulk]

Double back ticks here

[reaperhulk]

This is a petty style complaint but I prefer this with a single indent level for multiple lines and not aligned.

[reaperhulk]

I think we should move the doctest example to under the rotate method itself

[alex]

Can you pleaese add a changelog entry? (Haven't reviewed teh rest of this patch)

[derwolfe]

Sure!

On Fri, Oct 13, 2017 at 12:26 Alex Gaynor ***@***.***> wrote: Can you pleaese add a changelog entry? (Haven't reviewed teh rest of this patch) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3979 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAnJTYgwYncmFBF1G9rrgxmmOOBdqtNMks5sr51cgaJpZM4P33Mm> .

-- - Chris

[alex]

Please explain why someone would want this.

[alex]

Please add an asseriotn that mf1 can't decrypt something rotated by mf2.

[alex]

mmm, I just realized this resets the timestamp in the token. Is that intended? is that good?

[derwolfe]

@alex good point. I think it is also made somewhat worse by the caller being able to pass in the TTL, thereby setting up the assumption that token might contain the same timestamp that it did when encrypted.

I don't really have a good solution for this. The following two options come to mind:

1. I think it could be acceptable to have an enormous, flashing lights style warning in the docs stating that this will re-encrypt and thereby change the timestamp of the token. This does seem somewhat reasonable to me in that, were I to want to re-encrypt a bunch of fernet tokens due to a key compromise and were I relying on the timestamp stored on the token for something like a session, I'd likely want to to invalidate all sessions encrypted under the compromised key anyway.

   Further, with the current interface provided by Fernet/MultiFernet, there isn't a way to pass in a custom timestamp with a token. Given that, I'd expect (guess) that consumers of this are likely already handling TTL adjustments themselves. That said, I'm sure there are use cases that I'm not really considering (I've not used TTLs in practice at all).

2. Another solution might be to make it possible to pass in a timestamp to use when rotating. I'm not sure if this would be advisable or in violation of the spec.

   Conceptually, fernet takes a user-provided message (an arbitrary sequence of bytes), a key (256 bits), and the current time, and produces a token, which contains the message in a form that can't be read or altered without the key.

   If we wanted to make a slightly different interface to Fernet that would allow the user to specify the current time, then tokens could be rotated using their original time. That said, we'd then have to make it relatively easy for users to extract that time from their tokens.

I do think that option #1 would be easier to understand and maintain. I also think that it most closely matches what a user would expect of a rotation function given Fernet's current interface.

What do you think?

Also, thank you for both for your reviews :)

[alex]

I think the right thing to do is probably reuse the original timestamp; though I'd be interested in hearing @reaperhulk's thought.

The way to accomplish that would be to refactor the decrypt method to have an internal method that returned the timestamp, and then use that + the internal encrypt method.

[derwolfe]

The way to accomplish that would be to refactor the decrypt method to have an internal method that returned the timestamp, and then use that + the internal encrypt method.

Didn't think of that! :) This does seem like a safer, more user friendly solution.

[reaperhulk]

My preference would be for the default of rotate be ttl preservation. We could entirely remove the ttl arg, but it does seem reasonable for callers who use ttl to rotate and update ttl.

[derwolfe]

Sounds good - when I get some time this week, I'll make the changes.

[alex]

I actually think removing the ttl arg makes sense - ttl is about decryption, if rotate preserves the original timestamp, it's a "noop" in that sense.

[reaperhulk]

@alex it doesn't seem out of the question for a caller to want to rotate the encryption key and update the ttl to a later time.

Of course, to allow ttl alteration and rotation the ttl arg actually needs to have 3 types of values. Preserve, no ttl, and a new ttl. In encrypt we have None as no ttl, but None can't be both no ttl and preserve ttl, so we'd need to do a sentinel or enum to handle that.

If we want to wait for a user to request ttl update we could minimize our API surface area by not supporting ttl update for now. A future PR could add the above with no backwards compatibility concerns.

[alex]

There's two distinct things here:

a) Changin the stored timestamp
b) Enforcing the ttl argument against the timestamp.

I don't believe we should do either (and therefore we can drop the ttl argument).

[reaperhulk]

I wrote a lot of words about various concerns I have but while doing so have talked myself into agreeing. Yes, since a Fernet token actually only encodes timestamp and the ttl is an arg to decrypt then I agree that rotation should not enforce a ttl.

I'm not convinced that we shouldn't support update_timestamp but in the absence of a user advocate for the feature I'm not going to fight for it.

[reaperhulk]

Since this returns a timestamp that may be invalid (we haven't performed the HMAC verification), let's call this _get_unvalidated_token_data.

(For our purposes it's okay to not have validated it yet as the call to _decrypt_data does the HMAC check)

obviated by updates

[reaperhulk]

nit: there shouldn't be a comma here (You didn't add it, but let's go ahead and fix it now)

[reaperhulk]

I don't like this first sentence. Token rotation isn't just to limit the compromise window -- It's also for policy (rotation post-employee departure). Rotation in the event of actual compromise is a much more involved affair. Rotation as a best practice/cryptographic hygiene policy is designed to limit the damage in the event of an undetected event/increase the difficulty of attacks.

[derwolfe]

@reaperhulk does this work a bit better?

        Rotates a token by re-encrypting it under the :class:`MultiFernet`
        instance's primary key. This preserves the timestamp that was originally
        saved with the token. If a token has successfully been rotated then the
        rotated token will be returned. If rotation fails this will raise an
        exception.

        Token rotation is a best practice and manner of cryptographic hygiene
        designed to limit damage in the event of an undetected event and to
        increase the difficulty of attacks. For example, it would be necessary
        to rotate all fernet tokens in the event of an employee leaving who
        previously had access to the fernet key used to encrypt/decrypt fernet
        tokens.

I initially added the sentence "rotating tokens is necessary..." to try provide a reason for someone to want to use rotate. I'm wondering if it might make more sense to pull the second part of the docstring I've proposed out of rotate and into the docs for MultiFernet itself.

[reaperhulk]

Yeah we have a section about key rotation in the multifernet class introduction so it probably does make sense to expand on it up there and link to the rotate method.

[reaperhulk]

This comma and the one in the next sentence are both superfluous.

[reaperhulk]

"If a token is invalid this exception is raised" is probably all we need here.

[reaperhulk]

I'd like to register my (continued) displeasure that enchant can't figure out plurals.

[reaperhulk]

Since this is a static method we can just call Fernet._get_unverified_token_data

[reaperhulk]

Why does _encrypt_from_parts take an iv? The only other caller also does this os.urandom call. I don't think we want to have two places in our code where we generate the random IV. Maybe we should modify _encrypt_from_parts to just take data and timestamp and hoist iv generation into the method?

[alex]

For the tests.

[reaperhulk]

Ah. Well that's a good reason. I still don't like os.urandom being called in two places, but maybe I need to just be okay with that.

[reaperhulk]

This test would pass most of the time even if we weren't preserving timestamp since fernet timestamps have second granularity. I think we need to monkeypatch time to test this properly.

[derwolfe]

I only need to patch time once, after encryption. I'll change the PR to do that.

[reaperhulk]

This language still bugs me but I don't have constructive improvement to offer.