On Dec 1, 2011, at 3:53 PM, Alfonso De Gregorio wrote:

> 
> If the attacker has direct control over the challenge/digest, the side
> channel may turn to be observable. The attacker could query adaptively
> the authentication server and exploit the timing information to
> recover the hashed secret - gaining access. If the hash is not salted,
> a secret preimage can be found with a TMTO attack.
> 

Potentially yes, indeed. But the logic that you use to prevent that might also 
have timing issues.

If I were writing in C, I might do something slightly evil like just compare 16 
bytes regardless, but that could give problems in a language like Java, which 
might take an exception if the challenge is short. There's the additional 
problem that unless you compare an algorithm ID, too, there's the chance that 
you'd get a cross-hash collision (one were the first 16 bytes of SHA256 matches 
the MD5), even. I didn't even address the question of why MD5 was being used 
for this without an HMAC, as I took that as a constraint.

It also occurred to me that there are architectures where 
comparison/subtraction isn't constant time (a negative result takes an extra 
micro-op) and if you're really anal, you should use an idiom like:

        failure |= x ^ y;

and compare to zero at the end. You could even do this with sizes larger than a 
byte, if you can somehow cast a byte array into something larger, and then just 
inline the whole thing.

So it's really a more involved question than it appears on first blush -- and 
that's why crypto is hard!

        Jon




_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to