Hi
On 5 Feb 2014, at 22:57, Yasuo Ohgaki <[email protected]> wrote:
>> This is fixed-length, so the issue of hiding a length does not arise,
>> and OpenBSD comes with and is built by a particular C compiler. I am
>> not aware of them trying to introduce a similar function for variable
>> length strings (OK, this may be in part because of the way strings are
>> commonly stored in C, where even to determine the string length you'd
>> have to be non-constant time already).
>>
>> Hiding a string length is really tricky, and only possible to a more
>> limited extent than hiding byte value differences.
>
> I agree that hiding string length is hard.
> Another way to protect from timing attack is have a random sleep, but
> this is tricky also. Too short or too long sleep doesn't help.
>
Using time delays with a random distribution will simply average out since it would have a minimal
min to max range. Would work for a few requests but not the thousands an exploit would possibly use
to get a statistical sample for analysis.
Paddy