On Dec 1, 2011, at 11:48 PM, Marsh Ray wrote: > On 12/01/2011 04:37 PM, Jerrie Union wrote: >> >> public boolean check(digest, secret) { >> hash = md5(secret); >> >> if (digest.length != hash.length) { >> return false; >> } >> >> for (i = 0; i< digest.length; i++) { >> if (digest[i] != hash[i]) { >> return false; >> } >> } >> >> I’m wondering, if it’s running as some authenticated server application, if >> it should be considered as resistant to time attacks nowadays. > > Not resistant. It's a timing oracle. Very dangerous.
How should the attacker mount the attack after hash[0] has been recovered? I guess for a given digest D if the attacker guess the character at position 1 (D[1]) by supplying the secret S there’s no easy way to recover D[2] because the md5 function will introduce noise in every single bit of the output as you change a single bit in the input. Maybe, by having a huge precomputed table the attacker can attempt to mount a timing attack in this way: 1. guess the first byte of the digest by exploiting the timing attack 2. for every digest in the rainbow table starting with the previously guessed byte: 3. try to send the plaintext and time the response to recover the second byte The same process could be iterated until the fully string is recovered. Does it make sense? _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography