Re: little request :)

From:	Lester Caine	Date:	Fri, 07 Feb 2014 05:17:41 +0000
Subject:	Re: little request :)
References:	1 2 3 4 5 6 7 8	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Pádraic Brady wrote:
On 6 February 2014 23:18, Lester Caine<[email protected]>  wrote:
Yasuo Ohgaki wrote:

Timing attack can be used to guess hash itself, one by one.
There are many use cases that may be attacked by timing. e.g. API key
This way, unbreakable random hash may be broken relatively easy.


What I am missing Yasuo is a practical example of how this can be actioned
as my normal methods would simply delay any following attempt to use a hash
after a few failed attempts. That should be normal practice to block a hack
attempt?
I can run a server indefinitely. So can an attacker. What you're
saying is that a time delay is added to lock an account. If you
compare that to a timing attack requiring 1000 requests (assumed) with
a 3 second inter-request delay from your measure, you end up with a
total execution time of one hour (approx). For a 60 byte password
hash, that's 60 hours. I could throw it at a cloud server and let it
rip. Heck, I could let it rip for a whole month to get a really
incredible sample for analysis. Afterall, if I'm going to hack a
heating system to get to a POS terminal inside Target, I probably can
write code;).

Time delays assume the attacker lacks the computational resources and
determination needed to absorb the delay.

No his hack attempt assumes that a reply happens in a certain time, this 'fix' is designed to make the response time consistent to prevent a timed attack, while I am saying that I would actually have blocked the account after 10 attempts, but that I would delay responding up until that limit. Some sites simply block at three failed attempts, but that is too quick? Yes the DOS attacks then become a problem, blocking accounts, but that is a different problem. If your site is vulnerable to a 'timed attack' then something else is wrong?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk


   

Thread (42 messages)

• Pierre JoyeWed, 05 Feb 2014 10:20:27 +0000
  • Yasuo OhgakiWed, 05 Feb 2014 22:57:17 +0000
    • Pádraic BradyThu, 06 Feb 2014 00:42:29 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 03:06:35 +0000
  • Stas MalyshevWed, 05 Feb 2014 23:00:10 +0000
  • Rouven WeßlingThu, 06 Feb 2014 00:06:26 +0000Re: little request :)
    • Tjerk MeestersThu, 06 Feb 2014 03:51:55 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 04:53:29 +0000
    • Lester CaineThu, 06 Feb 2014 05:49:59 +0000
      • Pierre JoyeThu, 06 Feb 2014 05:55:20 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 05:58:47 +0000
        • Lester CaineThu, 06 Feb 2014 23:18:51 +0000
          • Pádraic BradyThu, 06 Feb 2014 23:32:44 +0000
            • Tjerk MeestersFri, 07 Feb 2014 00:32:10 +0000
              • Yasuo OhgakiFri, 07 Feb 2014 01:01:45 +0000
            • Lester CaineFri, 07 Feb 2014 05:17:41 +0000
              • Sanford WhitemanFri, 07 Feb 2014 07:41:32 +0000
                • Pádraic BradyFri, 07 Feb 2014 10:54:16 +0000
              • Pádraic BradyFri, 07 Feb 2014 10:41:29 +0000
                • Lester CaineFri, 07 Feb 2014 11:20:08 +0000
                  • Lester CaineFri, 07 Feb 2014 22:10:12 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 22:45:28 +0000
                    • Pádraic BradyFri, 07 Feb 2014 23:06:28 +0000
                      • Yasuo OhgakiSat, 08 Feb 2014 03:50:17 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 23:56:29 +0000
                  • Sanford WhitemanFri, 07 Feb 2014 22:24:51 +0000
  • Solar DesignerThu, 06 Feb 2014 14:24:48 +0000Re: Fwd: little request :)
    • Yasuo OhgakiThu, 06 Feb 2014 21:45:41 +0000Re: Re: Fwd: little request :)
    • Pádraic BradyThu, 06 Feb 2014 23:44:58 +0000Re: Re: Fwd: little request :)
    • Tjerk MeestersMon, 10 Feb 2014 10:36:18 +0000Re: Re: Fwd: little request :)
      • Solar DesignerMon, 10 Feb 2014 11:45:22 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 19:50:15 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 20:09:42 +0000
        • Tjerk MeestersMon, 10 Feb 2014 23:55:41 +0000
          • Lester CaineTue, 11 Feb 2014 00:39:55 +0000
            • Robert ParkerTue, 11 Feb 2014 17:55:12 +0000
            • Robert ParkerTue, 11 Feb 2014 17:57:49 +0000
          • Solar DesignerTue, 11 Feb 2014 07:43:13 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 09:39:32 +0000
              • Solar DesignerWed, 12 Feb 2014 12:47:33 +0000
                • Pierre JoyeWed, 12 Feb 2014 14:49:38 +0000
                  • Lester CaineWed, 12 Feb 2014 16:34:14 +0000