Questions tagged [timing-attack]
73 questions
0
votes
0 answers
Length-constant password comparison in scrypt?
E.g.: XORing the candidate against stored then comparing against 0.
Do I need to worry?
(my question is much in the same style as this question: Does bcrypt compare the hashes in "length-constant" time?)
A T
- 183
- 7
0
votes
1 answer
Timing Attacks in RSA
Considering the classic scenario of Eve trying to listen in to Alice and Bob's conversation, if Eve can intercept messages between Alice and Bob but with no access to their computers would Timing attacks be possible? Am I right in saying it isnt…
obsessiveCookie
- 125
- 4
0
votes
1 answer
How to specify a Snort rule connection duration?
Is it even possible to specify into a snort rule the duration of a connection?
For example: in this format Hour, Minute, Second
H, M, S = 0, 2, 1
If a connection that has the duration of 2 minutes and 1 second, then alert.
Or in this sense:
If a…
nixor01
- 87
- 1
- 8
0
votes
0 answers
Is there a generic way to prevent HTTP timing attacks for sensitive requests?
If I have sensitive HTTP routes that could be subject to timing attacks (trying to guess an ID, user, etc.), is there a way without modifying the application code that it could be wrapped with a network tweak, proxy, or some other program so timing…
Nick T
- 3,382
- 4
- 21
- 28
0
votes
2 answers
What are best practices for finding an account in a SQL database during authentication? Is using `LIMIT 1` vulnerable to timing attacks?
I have a application where users can log in by providing a username or email address (both case insensitive) and a password. In the users table in the database, the relevant account information is stored in three columns lowercase_username,…
limitone
- 3
- 1
0
votes
0 answers
How to prevent a timing attack when I do/don't perform password_verify (depending if the user exists)?
Here is the code which potentially can allow a timing attack
$user = getUserFromDatabase($input_username);
if ($user === false) { // potential timing attack
// user not exist
http_response_code(401);
echo json_encode(["message" =>…
JoJo
- 11
0
votes
0 answers
Is using a developer key to protect a REST API good practice?
I'd like to implement a RESTful API service over HTTP that developers can call from their server side environments.
I intend to use a cryptographically secure pseudo-random number generator (CSPRNG) to generate keys and then convert the bits to a…
Andy Fusniak
- 113
- 4
0
votes
0 answers
Constant-Time String-to-Byte Encoding for JavaScript
When dealing with cryptographic secrets (private keys, passwords, etc) it is desirable to not run these secrets through functions that do not run in constant time, in order to avoid the potential for side channel attacks. An example of this would be…
Danilo Bargen
- 336
- 1
- 4
- 11
0
votes
0 answers
In the time side channel, is there any way to improve the measurement time accuracy?
I want to measure the execution time of a function. The execution time of this function is only slightly different in the two cases. Is there any way I can accurately measure its time to distinguish the two cases?
The possible solutions are:
Use…
Gerrie
- 101
- 2
0
votes
1 answer
Are there any mechanisms in TLS 1.2 protocol against timing attacks?
Are there any mechanisms in the TLS 1.2 protocol (not implementation) against timing attacks? For example, that the handshake response time should be padded to X milliseconds? Or should I implement such mechanisms manually ?
Bleeding Alice
- 29
- 4
-1
votes
1 answer
Are there security implications to not installing the Leap Second patch on Red Hat systems?
What are Leap Seconds?
A leap second is a second which is added to Coordinated Universal Time (UTC) in order to synchronize atomic clocks with astronomical time.
The reason we have to add a second every now and then, is that Earth's rotation around…
Michael
- 1,457
- 1
- 18
- 36
-2
votes
1 answer
Why did I get unresponsive script when I start my system and open web browser?
The script on opening web broswersays Warning: Unresponsive Script
A script on this page may be busy,or it may have stopped responding.You can stop the script now,or you can continue to see if the script will…
harvardfail
- 193
- 8
-3
votes
1 answer
What threats involve in cache miss
What are the possible consequences of a cache miss? In other word, is it possible that a cache miss could cause a security threat?
Thank you.
Michael
- 403
- 2
- 9