From: Daniel Borkmann <dborkman@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: gregkh@linuxfoundation.org, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] lib: memcmp_nta: add timing-attack secure memcmp
Date: Mon, 11 Feb 2013 20:39:20 +0100 [thread overview]
Message-ID: <511948E8.5030404@redhat.com> (raw)
In-Reply-To: <51193A79.9090907@amacapital.net>
On 02/11/2013 07:37 PM, Andy Lutomirski wrote:
> On 02/10/2013 02:00 PM, Daniel Borkmann wrote:
>> If you need to compare a password or a hash value, the timing of the
>> comparison function can give valuable clues to the attacker. Let's
>> say the password is 123456 and the attacker tries abcdef. If the
>> comparision function fails at the first byte without looking at the
>> other bytes, then the attacker can measure the difference in runtime
>> and deduce which byte was wrong, reducing the attack space from
>> exponential to polynomial. [Daniel J. Bernstein]
>>
>> Therefore add memcmp_nta ({n}o {t}iming {a}ttacks) in order to avoid
>> such scenarios and to facilitate development by providing a generic
>> function for (e.g.) the crypto and networking subsystems.
>>
>> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
>> ---
>
> I read this as "compare memory with non-temporal access". Perhaps
> something like "memcpy_constant_time" would be less confusing.
You probably mean "memcmp_constant_time".
Well, this could probably be misinterpreted, that for every possible input
it will take only O(1), which of course it doesn't. It's simply that for both
results (``equals to'', ``does not equal to'') it will take the same amount of
*operations* to achieve this in order to not leak any time information of a
successful or not successful comparison, where the attacker could draw
conclusions if he might have gotten parts of the hash/key/.. right or wrong.
next prev parent reply other threads:[~2013-02-11 19:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1360528614.git.dborkman@redhat.com>
2013-02-10 22:00 ` [PATCH] lib: memcmp_nta: add timing-attack secure memcmp Daniel Borkmann
2013-02-10 23:24 ` Joe Perches
2013-02-10 23:30 ` Daniel Borkmann
2013-02-10 23:50 ` Greg KH
2013-02-11 8:19 ` Daniel Borkmann
2013-02-11 18:37 ` Andy Lutomirski
2013-02-11 19:39 ` Daniel Borkmann [this message]
2013-02-11 19:00 ` Florian Weimer
2013-02-11 22:58 ` Daniel Borkmann
2013-02-12 10:23 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=511948E8.5030404@redhat.com \
--to=dborkman@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox