Re: [VOTE] Timing attack safe string comparison function

From:	Lester Caine	Date:	Mon, 24 Feb 2014 08:11:06 +0000
Subject:	Re: [VOTE] Timing attack safe string comparison function
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Yasuo Ohgaki wrote:
I did some experiments. It seems it's good to implement timing safe
comparison in engine. i.e. We can make ==/=== secure by default like
Python. It would be much safer get rid of all timing from PHP.

We need new RFC to include the change in engine.

That's not how I read that discussion (though I might have missed a mail).
Also personally I don't like it. I don't see that the supposed gain in
security is worth the performance implication. Also if it turns out there's
a bug, and we'd have to make it 100 times slower for some reason, than
that's not a big deal for a function like hash_equals. It is however if it
affects all comparisons.

Since I don't believe in that change, I'm not interested in proposing that
RFC.

Understood. This is OK.

From the experiment, performance implication is not much.
Automatic protection in any place would worth the trade off. IMHO.
Python even uses less efficient hash for comparison. I heard they
use optimized version of SipHash, we may better try it before deciding
algorithm, though.

Any other comments regarding ==/=== timing safety?

Surely there are two elements to this?

Simply comparing two strings in a time stable manner is relatively easy. You just modify the compare to store the result and always complete a full scan. Only the lengths of the string come into that. How physically that is handled in the processor will actually determine if the time taken is 'byte sensitive' anyway! Simply stopping the core process from the unnecessary <> comparison where the answer is not used is going to be a performance gain, all be it minuscule, but the timing differences that are trying to be hidden are even smaller than that? Tidying the core use of string compare is generally more useful than simply adding yet another method of calling it.

The other element here is actually calculating the hash value to compare with? That will also depend on just how the processor is processing multiple bytes, so simply fixing the final comparison may be somewhat irrelevant if the hash generation also has a leak? Yes it should be another constant, but what is being fed in is the variable being changed during the attack?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk


   

Thread (54 messages)

• Rouven WeßlingSun, 02 Feb 2014 22:50:21 +0000
  • Yasuo OhgakiMon, 03 Feb 2014 01:48:35 +0000
  • Joe WatkinsMon, 03 Feb 2014 07:07:09 +0000Re: [VOTE] Timing attack safe string comparison function
  • Andrea FauldsMon, 03 Feb 2014 12:23:53 +0000
    • Sara GolemonMon, 03 Feb 2014 16:21:25 +0000
  • Sara GolemonMon, 03 Feb 2014 16:18:49 +0000
    • Yasuo OhgakiWed, 05 Feb 2014 02:39:06 +0000
  • Nikita PopovMon, 03 Feb 2014 17:10:05 +0000
    • Pádraic BradyMon, 03 Feb 2014 19:58:21 +0000
    • Yasuo OhgakiMon, 03 Feb 2014 20:57:13 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:04:35 +0000
    • Stas MalyshevMon, 03 Feb 2014 22:09:32 +0000
      • Yasuo OhgakiTue, 04 Feb 2014 04:06:30 +0000
        • Yasuo OhgakiTue, 04 Feb 2014 04:30:06 +0000
        • Yasuo OhgakiWed, 05 Feb 2014 02:58:42 +0000
          • Rouven WeßlingWed, 05 Feb 2014 23:36:44 +0000
            • Yasuo OhgakiThu, 06 Feb 2014 01:28:38 +0000
              • Yasuo OhgakiThu, 06 Feb 2014 03:56:11 +0000
                • Yasuo OhgakiThu, 06 Feb 2014 04:20:55 +0000
                  • Yasuo OhgakiThu, 06 Feb 2014 04:31:17 +0000
                    • Yasuo OhgakiThu, 06 Feb 2014 05:17:18 +0000
                • Christopher JonesThu, 06 Feb 2014 04:23:23 +0000
                  • Pierre JoyeThu, 06 Feb 2014 05:24:53 +0000
                    • Stas MalyshevThu, 06 Feb 2014 07:01:36 +0000
                      • Pierre JoyeThu, 06 Feb 2014 07:09:06 +0000
    • Tjerk MeestersTue, 04 Feb 2014 06:20:37 +0000
  • Yasuo OhgakiThu, 06 Feb 2014 23:05:05 +0000
    • Yasuo OhgakiFri, 07 Feb 2014 01:39:31 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 00:24:25 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 01:15:25 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:37:58 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:58:00 +0000
          • Tjerk MeestersMon, 10 Feb 2014 09:29:31 +0000
            • Pádraic BradyMon, 10 Feb 2014 12:39:26 +0000
        • Lester CaineMon, 10 Feb 2014 09:03:07 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 07:01:35 +0000
            • Lester CaineWed, 12 Feb 2014 07:24:16 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 08:11:21 +0000
  • Rouven WeßlingSun, 23 Feb 2014 15:11:21 +0000
    • Rouven WeßlingSun, 23 Feb 2014 18:31:38 +0000
      • Yasuo OhgakiSun, 23 Feb 2014 20:59:09 +0000
        • Rouven WeßlingSun, 23 Feb 2014 21:05:43 +0000
          • Yasuo OhgakiMon, 24 Feb 2014 04:22:00 +0000
            • Lester CaineMon, 24 Feb 2014 08:11:06 +0000
              • Yasuo OhgakiMon, 24 Feb 2014 09:00:24 +0000
  • Yasuo OhgakiTue, 18 Mar 2014 01:04:35 +0000
    • Rouven WeßlingTue, 18 Mar 2014 11:23:25 +0000
      • Adam HarveyTue, 18 Mar 2014 16:13:33 +0000
        • Ferenc KovacsTue, 18 Mar 2014 18:56:47 +0000
          • Yasuo OhgakiWed, 19 Mar 2014 00:27:57 +0000
            • Ferenc KovacsWed, 19 Mar 2014 02:31:38 +0000
• Andrey AndreevWed, 05 Feb 2014 20:18:17 +0000Re: [VOTE] Timing attack safe string comparison function
• Andrey AndreevMon, 24 Feb 2014 08:13:35 +0000Re: [VOTE] Timing attack safe string comparison function
  • Tjerk MeestersMon, 24 Feb 2014 11:25:58 +0000