tuupola
commented
3 years ago Timestamp field is cleartext but it cannot be tampered since it is part of header which is the additional data for AEAD. If you tamper the timestamp (or any other part of the header) verifying the Poly1305 tag will fail.
You can try yourself with the token from the test vector 20. Original timestamp was 0x0757fb00 but it was modified to 0x0057fb00.
errhammr
If I understood the Branca specs correctly, the timestamp field seems to be unprotected.
Let's say a website uses Branca tokens as session cookies and relies on the timestamp field in order to check if the token is still valid. An attacker might get access to a valid or expired token and manipulate the timestamp field whenever needed in order to make the expired token valid again. This applies not only to the context of websites and session cookies but to every possibly untrusted environment in which Branca tokens could be used.
As far as I can tell, the timestamp field doesn't provide any reliable information in an untrusted environment.
I'm writing this because not everyone using Branca tokens might be aware of that. I suggest to either make this very clear in the documentation or to change the spec so that tampering with the timestamp field can be detected.