On Mar 13, 2005, at 11:27 AM, Carl Lowenstein wrote:
Obviously, some computers are faster than others, and if I was doing this on a 2.8GHz P4 it would run about 10x faster. But this is ridiculous.
That does sound abjectly ridiculous.
However, I seem to recall that there were some exploits that used the speed of a hashing function to mount an attack ie. the speed of the hashing function was dependent upon the data input. By sending carefully crafted messages, an attacker could actually retrieve key information somehow. Please don't ask me for a reference, as I would include it in this email if I had it handy.
Writing a function to not be data dependent would probably pessimize the speed, a lot.
This still sounds ridiculous, but you might want to check for the existence of a "look just give me the hash and forget about timing" flag.
-a
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
