Re: [VOTE] Timing attack safe string comparison function

From:	Yasuo Ohgaki	Date:	Thu, 06 Feb 2014 04:20:55 +0000
Subject:	Re: [VOTE] Timing attack safe string comparison function
References:	1 2 3 4 5 6 7 8	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

On Thu, Feb 6, 2014 at 12:56 PM, Yasuo Ohgaki <[email protected]> wrote:

> Padraic gave me an another idea of additional mitigation for this.
> Although we cannot rely on it, randomized delay can be used
> as mitigation. It would be good for length leak.
>
> On Thu, Feb 6, 2014 at 10:28 AM, Yasuo Ohgaki <[email protected]> wrote:
>
>> Perhaps, something like this would be good enough.
>>
>>  + /**
>>  +  * If known_string has a length of 0 we set the length to 1,
>>  +  * this will cause us to compare all bytes of userString with the
>> null byte which fails
>>  +  */
>>  + mod_len = MAX(known_len, 1);
>> len = MAX(user_len, 64); // Do not care much
>> len = MAX(known_len, len); // Do not care much
>>
>> // These kind of operations have done somewhere anyway
>> // Just don't care.
>> k = (unsinged char *)emalloc(len+1)
>> u = (unsinged char *)emalloc(len+1);
>> memset(k, 0, len+1);
>> memset(u, 0, len+1);
>> strncpy(k, known_str, known_len);
>> strncpy(u, user_str, user_len);
>>
>
> // Determination of delay is tricky. Too short or too long delay does not
> work.
> // It depends on execution path/data. e.g. How many times
> strlen/strncpy/etc is called, length of string.
> // I'm not sure if this is sufficient/valid as mitigation for average
> usage. Experiments are needed.
> // Improvement/suggestion is appreciated.
>     r1 = (unsigned char)get_random_byte();
>     r1 *= 2; // doubles range
>     for (; r1 > 0; r1--) {
>       r2 = (unsigned char)get_random_byte();
>       for (; r2 > 0; r2--) {
>         if (r1 < r2) {
>            buf[r2] = r2 % r1;
>         } else {
>            buf[r2] = r1 % r2;
>         }
>       }
>     }
>
>   +
>>  + /* This is security sensitive code. Do not optimize this for speed. */
>>  + result = known_len - user_len;
>>
>>
>> +	for (j = 0; j < user_len; j++) {
>>
>>
>> +		result |= known_str[j % mod_len] ^ user_str[j];
>>
>> for (; len > 0; len--) {
>>
>>                                  result |= *k++ ^ *u++; // This must be constant. Use
>> simpler operation and keep constant operation here is enough.
>>
>>
>>
>>
>>  + }
>>
>
Since comparison of short and/or not hashed data (e.g. user supplied raw
password) should
not be done as the function name imply, we may better to document so that
users always
compare hashed values even when they store raw password/etc.
So randomized delay may be overkill.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (54 messages)

• Rouven WeßlingSun, 02 Feb 2014 22:50:21 +0000
  • Yasuo OhgakiMon, 03 Feb 2014 01:48:35 +0000
  • Joe WatkinsMon, 03 Feb 2014 07:07:09 +0000Re: [VOTE] Timing attack safe string comparison function
  • Andrea FauldsMon, 03 Feb 2014 12:23:53 +0000
    • Sara GolemonMon, 03 Feb 2014 16:21:25 +0000
  • Sara GolemonMon, 03 Feb 2014 16:18:49 +0000
    • Yasuo OhgakiWed, 05 Feb 2014 02:39:06 +0000
  • Nikita PopovMon, 03 Feb 2014 17:10:05 +0000
    • Pádraic BradyMon, 03 Feb 2014 19:58:21 +0000
    • Yasuo OhgakiMon, 03 Feb 2014 20:57:13 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:04:35 +0000
    • Stas MalyshevMon, 03 Feb 2014 22:09:32 +0000
      • Yasuo OhgakiTue, 04 Feb 2014 04:06:30 +0000
        • Yasuo OhgakiTue, 04 Feb 2014 04:30:06 +0000
        • Yasuo OhgakiWed, 05 Feb 2014 02:58:42 +0000
          • Rouven WeßlingWed, 05 Feb 2014 23:36:44 +0000
            • Yasuo OhgakiThu, 06 Feb 2014 01:28:38 +0000
              • Yasuo OhgakiThu, 06 Feb 2014 03:56:11 +0000
                • Yasuo OhgakiThu, 06 Feb 2014 04:20:55 +0000
                  • Yasuo OhgakiThu, 06 Feb 2014 04:31:17 +0000
                    • Yasuo OhgakiThu, 06 Feb 2014 05:17:18 +0000
                • Christopher JonesThu, 06 Feb 2014 04:23:23 +0000
                  • Pierre JoyeThu, 06 Feb 2014 05:24:53 +0000
                    • Stas MalyshevThu, 06 Feb 2014 07:01:36 +0000
                      • Pierre JoyeThu, 06 Feb 2014 07:09:06 +0000
    • Tjerk MeestersTue, 04 Feb 2014 06:20:37 +0000
  • Yasuo OhgakiThu, 06 Feb 2014 23:05:05 +0000
    • Yasuo OhgakiFri, 07 Feb 2014 01:39:31 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 00:24:25 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 01:15:25 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:37:58 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:58:00 +0000
          • Tjerk MeestersMon, 10 Feb 2014 09:29:31 +0000
            • Pádraic BradyMon, 10 Feb 2014 12:39:26 +0000
        • Lester CaineMon, 10 Feb 2014 09:03:07 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 07:01:35 +0000
            • Lester CaineWed, 12 Feb 2014 07:24:16 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 08:11:21 +0000
  • Rouven WeßlingSun, 23 Feb 2014 15:11:21 +0000
    • Rouven WeßlingSun, 23 Feb 2014 18:31:38 +0000
      • Yasuo OhgakiSun, 23 Feb 2014 20:59:09 +0000
        • Rouven WeßlingSun, 23 Feb 2014 21:05:43 +0000
          • Yasuo OhgakiMon, 24 Feb 2014 04:22:00 +0000
            • Lester CaineMon, 24 Feb 2014 08:11:06 +0000
              • Yasuo OhgakiMon, 24 Feb 2014 09:00:24 +0000
  • Yasuo OhgakiTue, 18 Mar 2014 01:04:35 +0000
    • Rouven WeßlingTue, 18 Mar 2014 11:23:25 +0000
      • Adam HarveyTue, 18 Mar 2014 16:13:33 +0000
        • Ferenc KovacsTue, 18 Mar 2014 18:56:47 +0000
          • Yasuo OhgakiWed, 19 Mar 2014 00:27:57 +0000
            • Ferenc KovacsWed, 19 Mar 2014 02:31:38 +0000
• Andrey AndreevWed, 05 Feb 2014 20:18:17 +0000Re: [VOTE] Timing attack safe string comparison function
• Andrey AndreevMon, 24 Feb 2014 08:13:35 +0000Re: [VOTE] Timing attack safe string comparison function
  • Tjerk MeestersMon, 24 Feb 2014 11:25:58 +0000