The Token-Based Authentication feature requires authentication before the delivery of content via the CDN. If Token-Based Authentication has been applied to the requested content, then the following two requirements must be met before it will be delivered:
Yes. By default, Token-Based Authentication may be applied recursively to a directory. However, Rules Engine allows Token-Based Authentication to be enabled/disabled by request type. Leverage this capability to tailor the set of requests that will require authentication.
Both keys provide the same set of functionality.
A backup key provides the means through which you can ensure uninterrupted access to your content when updating an encryption key.
Use the OpenSSL tool to generate a hexadecimal encoded encryption key.
Syntax:
No. It can only be decrypted by the key used to encrypt it. Use the Token Generation executable to decrypt tokens generated with an old encryption key.
The total length of a token cannot exceed 512 characters.
No. However, the resulting token cannot exceed 512 characters.
Yes, unless both of the following conditions are true:
A token can be used across platforms when the same encryption key has been defined for each platform.
Make sure to always include both of the following parameters:
The differences between the various versions are described below.
Version | Description |
---|---|
1 |
This is the original version of Token-Based Authentication. This version has a known security vulnerabilityTo protect the integrity of customer data, details on the exact security vulnerability cannot be shared at this time. Although we highly value transparency, this policy provides customers additional time to prepare and implement the transition to version 3.. You should upgrade to Token-Based Authentication 3.0. |
2 |
This version was introduced to address a security vulnerability in version 1. This version has a known security vulnerabilityTo protect the integrity of customer data, details on the exact security vulnerability cannot be shared at this time. Although we highly value transparency, this policy provides customers additional time to prepare and implement the transition to version 3.. You should upgrade to Token-Based Authentication 3.0. |
3 |
This version, which leverages a state-of-the-art cryptographic algorithm and additional security measures to harden token encryption/decryption, introduces the following differences:
|
Follow the directions provided below to find out version information.
Component | Encryption/Decryption Version |
---|---|
Encrypt Tool (Token Auth page) |
Tokens will be encrypted/decrypted using either version 2.0 or 3.0 as determined by the Encryption Version option. |
Token Generator (Windows Executable/Linux Binaries) |
Find out version information by running the following command: ectoken3 --version
The above command does not work with version 1.0. Please upgrade to the latest version immediately. |
Token Generator (Source Code) |
If version information is not provided on that line, then you are using version 1.0. Please upgrade to the latest version immediately. |
Update Primary Key (REST API) |
By default, a new primary key will be assigned a minimum encryption version of 2.0. An optional parameter called "MinVersion" may be used to define a higher minimum encryption version. |
Encrypt Token Data (REST API) |
A response body parameter called "TokenVersion" indicates the encryption version used to generate the token. |
The introduction of this update does not affect the CDN's ability to authenticate traffic via Token-Based Authentication. Additionally, most Token-Based Authentication components require manual intervention before they will take effect.
More Information
This update was applied to the following components:
Component | Description |
---|---|
Encrypt Tool (Token Auth page) |
Tokens will be encrypted/decrypted using either version 2.0 or 3.0 as determined by the Encryption Version option. |
Token Generator (Windows Executable/Linux Binaries) |
This update will not take effect until the following actions take place:
By default, the updated Token Generator will encrypt/decrypt tokens using version 3.0. However, a command-line parameter (e.g., ectoken3 -2 Key Parameters) may be used to generate tokens using version 2.0. |
Token Generator (Source Code) |
This update will not take effect until the following actions take place:
|
Update Primary Key (REST API) |
By default, a new primary key will be assigned a minimum encryption version of 2.0. Use the MinVersion parameter to assign a minimum encryption version of 3.0 to the new primary key. This will effectively disable version 2.0 encryption/decryption for tokens generated from the new primary key. This method should be used with care. The safest method for updating your primary key is to do so through the Token Auth page. Continuous access to your content cannot be guaranteed when a backup key is not used. |
Encrypt Token Data (REST API) |
By default, tokens are encrypted using the minimum encryption version assigned to the specified key. Encrypt tokens using version 3.0 by indicating that preference in the TokenVersion parameter. |
Token-Based Authentication 3.0 leverages a state-of-the-art cryptographic algorithm and additional security measures to harden token encryption/decryption. Use the following procedure to properly update custom scripts/applications.
To upgrade to the latest version of Token-Based Authentication
Steps 2 and 3 may be skipped if your custom script/application only uses the Encrypt Token Data method (REST API) to generate tokens.
Download the latest version of the Token Generator.
Apply the Token Generator update by performing either of the following steps:
Immediately after making the above changes, update the desired script or application to use the new primary key. At this point, version 3.0 tokens will be generated.
All of the above steps, with the exception of step 2, must be performed for each platform that authenticates content via Token-Based Authentication.