Blaine or Kellan threw out a question about this vulnerability in an OAuth context that I haven't had the time (nor do I have the qualifications) to answer: do the use of a nonce and timestamp mitigate the risk?
My gut is no, but it'd be nice to hear from a security professional who has had a chance to vet it. thanks. seth On Fri, Aug 14, 2009 at 11:58 AM, Breno de Medeiros<[email protected]> wrote: > > I would note that this bug is not OAuth-specific but in principle > affects other protocols that perform signature validation via HMACs. > > This is a good reason not to roll out new crypto code willy-nilly. If > you use a established crypto library then when people fix bugs > (possibly mitigating discovered attacks against other protocols), the > fix may protect your implementation as well. > > On Fri, Aug 14, 2009 at 11:53 AM, Pelle Braendgaard<[email protected]> wrote: >> >> This was posted yesterday about timing attacks when comparing digests >> as most of us do in our OAuth implementations. >> >> http://codahale.com/a-lesson-in-timing-attacks/ >> >> The problem is not with the standard itself but with the >> implementations. Luckily it is pretty easy to fix. >> >> The above post provides us with fairly easy solutions for both Java >> and Python. I wrote a fix for Ruby, which I think should provide >> protection for it: >> >> http://github.com/pelle/oauth/commit/c867394b4b14bc893cc29fbb0b1b839066843b93 >> >> We will probably do a ruby gem release shortly for this, but in the >> meantime feel free to use the gem from my oauth repository. >> >> It is not afaik esploitable without a fair bit of skill, but I believe >> it it is definitely exploitable. >> >> P >> >> -- >> http://agree2.com - Reach Agreement! >> http://extraeagle.com - Solutions for the electronic Extra Legal world >> http://stakeventures.com - Bootstrapping blog >> >> > >> > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
