IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [timing-attack]

73 questions
39
votes
3 answers

Why should memcmp not be used to compare security critical data?

From man 3 memcmp: Do not use memcmp() to compare security critical data, such as cryptographic secrets, because the required CPU time depends on the number of equal bytes. Instead, a function that performs comparisons in constant…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
36
votes
8 answers

Should I worry about remote timing attacks on string comparison?

Say we have a Java web application which uses a shared secret to verify the identity of the client. The secret is stored on the server, and the client transmits the secret over SSL where it is checked: String SECRET_ON_SERVER =…
George Powell
  • 1,508
  • 12
  • 14
23
votes
3 answers

Simple string comparisons not secure against timing attacks

As I learned in a comment for How to encrypt in PHP, properly?, I was told using a string comparison like the following in PHP is susceptible to timing attacks. So it should not be used to compare two MACs or hashes (also password hashes) for…
evildead
  • 604
  • 1
  • 4
  • 14
22
votes
1 answer

Timing attacks on password hashes

Timing attacks can have a devastating impact in scenarios where the secret is involved, often in cases where byte-wise array comparison is used. Now there are those that advertise using constant time array comparison in any situation where data is…
emboss
  • 4,298
  • 1
  • 16
  • 17
22
votes
5 answers

Timing Safe String Comparison - Avoiding Length Leak

Let's say that we're building a generic timing-safe comparison function for general purpose use. Making it so that it is safe when both strings are equal length is pretty well known. However, what I'm not sure about is how we can make it safe if the…
ircmaxell
  • 1,416
  • 12
  • 16
21
votes
2 answers

Timing attack against HMAC in authenticated encryption?

In an answer to another question of mine, it was noted that a class using standard string comparison functions when checking the HMAC in authenticated encryption would make the class vulnerable to timing attacks against the HMAC. I can't wrap my…
Monika
  • 1,092
  • 1
  • 10
  • 21
20
votes
2 answers

How does SSH defend against keystroke-timing attacks?

This paper: https://www.usenix.org/legacy/events/sec01/full_papers/song/song.pdf Explains how SSH can be compromised by analyzing the timing of the keystrokes to guess what the user is typing. It's about 12 years old. I heard that this attack…
Ram Rachum
  • 1,998
  • 2
  • 17
  • 20
19
votes
2 answers

Principles of cache attacks

There are many scientific publications that deal with cache attacks. Most recently, the CacheBleed attack was published which exploits cache bank conflicts on the Intel Sandy Bridge architecture. Most timing attacks use a similar approach: The…
null
  • 525
  • 2
  • 13
18
votes
5 answers

How can I prevent side-channel attacks against authentication?

After reading this excellent answer, I learned about the existence of side-channel attacks. From the code example provided, it is possible to determine the correct password by timing the code when given various inputs. for (i = 0; i < n; i++) { …
dalearn
  • 283
  • 2
  • 10
17
votes
2 answers

Can I prevent timing attacks with random delays?

I read recently about profiling for valid user accounts with timing attacks, IE the application-under-attack takes a predictably different amount of time to process say a login on a non-existent user from an existent user. Yet I've never seen in any…
Iain Duncan
  • 382
  • 2
  • 12
15
votes
7 answers

Mitigate timing attack threat against password recovery page

We recently had an external security review performed on a public-facing website we manage. They noted that on the "recover password page", there are different response times when providing existing and non-existing usernames. They claim this could…
MEMark
  • 253
  • 2
  • 6
14
votes
7 answers

Timing attacks in password hash comparisons

I had a discussion with a friend today about his password hash comparison. I argued that you can't return false on the first hash mismatch you have and I sent him a link to an article about a Java timing attack that happened in Java 6. public static…
YShow
  • 141
  • 1
  • 5
13
votes
3 answers

Are there any successful cases of timing attacks over the internet?

Potential timing attacks are always brought up in one context or the other but I don't think I've ever read a case where someone has actually executed such an attack over the internet.
joseconte2018
  • 139
  • 3
12
votes
2 answers

Does bcrypt compare the hashes in "length-constant" time?

I saw this function slowEquals() while reading Salted Password Hashing - Doing it Right, which uses a byte-level xor comparison to avoid timing attacks. I was wondering whether this is what Bcrypt also does to avoid timing attacks. I use Openwall…
DevD
  • 257
  • 2
  • 7
12
votes
5 answers

Are variable time comparisons always a security risk in cryptography code?

I came across the cryptography python package, and noticed it had the following about reporting security vulnerabilities: Examples of things we wouldn’t consider security issues: Using a variable time comparison somewhere, if it’s not possible to…
curiousgeorge7
  • 121
  • 1
  • 4
1
2 3 4 5