top | item 33761551

(no title)

wolfwyrd | 3 years ago

This is a timing attack or timing oracle. Lets assume a mac represented in an array of 32 bytes. If we had a pseudocode method like:

    byte [32] (actualMac, expectedMac)
    for int x = 0..31
        if (actualMac[x] != expectedMac[x])
            return false;
        fi
    end
    return true;

We return false as soon as we hit an invalid byte in our calculated mac. If the time taken to execute one iteration of the loop is Y and the attacker is able to time this method accurately they will be able to tell what the value of actualMac is by feeding known inputs. They will know because the return time will be 2Y when they have bailed after the first byte. 3Y after the second, 4Y after the third etc.

This is why we should check the arrays in constant time - compare every byte in both arrays before returning. We do not return early so we can’t leak information

discuss

hellfish|3 years ago

> in constant time

why is it called constant time if it isn't constant with respect to array length? Just seems confusing because the algorithm is linear without a short circuit

namkt|3 years ago

It's constant time in that it always takes the same amount of time regardless of the extent to which the two strings are equal. It is a different concept than constant time in complexity analysis.

What's even more confusing is that it is also constant time in the complexity analysis sense given that the mac is usually a fixed-size string after choosing a hashing algorithm.

fweimer|3 years ago

Isn't it sufficient to compare 64 bits at a time? Then the oracle becomes rather useless.

Many current memcmp implementations use such large comparisons because they avoid hard-to-predict data-dependent branches for extracting the specific point of mismatch.

TylerE|3 years ago

Don’t really buy it. Seems to be both “spherical cow optimistic assumptions” and “anyone who could seriously think about pulling this off has nation-state level resources and already 0wnz you and/or already has the rubber hose at hand"

kapp_in_life|3 years ago

Not really. It doesn't rely on that big of an assumption, nor does it require nation state resources[0]. When you're trying to find the secret you can make a bunch of requests and measure for statistically significant change, which can still be detectable beyond jitter & web server load.

Also ignoring the fact that calling constant_strcompare(string, string) instead of strcompare(string, string) when working with secrets isn't that big of an ask.

[0] https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf