[cryptography] Digest comparison algorithm

Alfonso De Gregorio adg at crypto.lo.gy
Thu Dec 1 18:53:33 EST 2011


On Fri, Dec 2, 2011 at 12:31 AM, Jon Callas <jon at callas.org> wrote:
>
> On Dec 1, 2011, at 2:37 PM, Jerrie Union wrote:
>
>> I’m wondering, if it’s running as some authenticated server application, if
>> it should be considered as resistant to time attacks nowadays. I’m aware that’s
>> not a good practice, but I’m not clear if I should consider it as exploitable over the
>> network (on both intranet and internet scenarios).
>>
>> I would like to run some tests, but I’m not sure if I should follow some specific
>> approach. Anyone has done some research recently?
>
> I agree with Ian. You have correctly observed that the check algorithm is not constant time. This is a flaw. But you're doing a hash, and consequently that flaw may not be observable. It is therefore a very small flaw.

If the attacker has direct control over the challenge/digest, the side
channel may turn to be observable. The attacker could query adaptively
the authentication server and exploit the timing information to
recover the hashed secret - gaining access. If the hash is not salted,
a secret preimage can be found with a TMTO attack.

-- alfonso     blogs at http://Plaintext.crypto.lo.gy   tweets @secYOUre



More information about the cryptography mailing list