On Dec 1, 2011, at 2:37 PM, Jerrie Union wrote:
> I’m wondering, if it’s running as some authenticated server application, if
> it should be considered as resistant to time attacks nowadays. I’m aware
> that’s
> not a good practice, but I’m not clear if I should consider it as exploitable
> over the
> network (on both intranet and internet scenarios).
>
> I would like to run some tests, but I’m not sure if I should follow some
> specific
> approach. Anyone has done some research recently?
I agree with Ian. You have correctly observed that the check algorithm is not
constant time. This is a flaw. But you're doing a hash, and consequently that
flaw may not be observable. It is therefore a very small flaw.
I might rewrite the routine differently than Ian did. Let me apologize in
advance for being a C guy writing Java, but I'd do approximately this:
public boolean check(digest, secret) {
int failure = 0;
hash = md5(secret);
failure |= (digest.length != hash.length); // Is the hash of the same
length?
for (i = 0; i < min(digest.length, secret.length); i++) {
failure |= (digest[i] != hash[i]); // Check each byte for non-match
}
return failure == 0; // return true if we didn't fail. Yeah, confusing.
}
I don't guarantee that this works, but it looks okay from here. The intent is
that you always OR together a length check and each byte check, with a
low-order 1 bit indicating a failure. Then you reverse polarity and convert to
a boolean. I hope I didn't embarrass myself in this pseudocode.
You have to have a wart in one of two places. I chose to have a wart that if
the sizes mismatch, you still do the byte checks. Alternatively, if you return
early on a size mismatch, you leak a size mismatch, which is small potatoes in
the grand scheme of things. My way of doing it leaks the size mismatch and its
size if you can somehow force in a secret of variable size. I went back and
forth on which is better and decided I don't care at the end.
I don't think there's anything wrong with what Ian did, but I stuck to having
most of my work be an OR because I'm that paranoid.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography