-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/06/13 18:06, Steve Weis wrote: > I also noticed the verification code might be susceptible to a > timing attack: "if (hex_hmac_sha1(key, text) === hmac)"
It looks like the adversary might be able to bypass MAC checking entirely: decryptNode() accepts a message if either the first 40 bytes are a valid HMAC or the first 64 bytes are the hash of the plaintext. If the adversary can guess the real plaintext then she can modify the CTR ciphertext to produce a new plaintext and authenticate it by replacing the MAC with the hash of the new plaintext. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRwtNxAAoJEBEET9GfxSfMpbMH/1Pcln56XtFQ1AFcwhKZlY/w iDnnuq2DAsGFd7PtM/0fMq+amgtHOPWm0DzOxPa8TeOqcyXmsPqYYPLYH5kQ87Xa T+AU377EZQoPNMazA88OkMhOPhwhxDkpTYaFXOwl6mRu4jPk3PLBimWZz1IU0jUY 52rGTT4fptsJwgGjFcATbw/k4RpE9TUpHguDhximadOim+suww1ymHK2kNeLwyOl Bn/vPZtkoUzoOAgXEgUGONa4b3jlFHbcEEjxL2KtNjvG99X6RsrWq8XJmlOebKB7 CQaQio1kdiyLAuLUtBy9A36DBRTyOW8c72HYhNXiR2jeIEPXID5kHDLuPEEt1S0= =qiN4 -----END PGP SIGNATURE----- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech