Re: Time Invariant String Comparison

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: Time Invariant String Comparison
• From: Daniel Silverstone <dsilvers@...>
• Date: 2014年1月16日 11:55:05 +0000

---

On Thu, Jan 16, 2014 at 12:44:53 +0100, Jason A. Donenfeld wrote:
> Over at cgit [1] we use Lua for our authentication framework [2]. One
> thing we're doing wrong is lines like these:
> 
> 	if password == post["password"] then
> 
> Since an attacker can control the post params, this test is vulnerable
> to a timing attack, by which an attacker could determine the password
> one character at a time by analysis of response time.
> 
> What I'm looking for is some clever way in Lua to compare two strings
> in a time invariant way. Any suggestions?
Lua's strings are interned and hashed. As a result, string comparison for
equality is pretty much constant time :)
D.
-- 
Daniel Silverstone http://www.digital-scurf.org/
PGP mail accepted and encouraged. Key Id: 3CCE BABE 206C 3B69

---

• Follow-Ups:
  • Re: Time Invariant String Comparison, Elias Barrionovo

• References:
  • Time Invariant String Comparison, Jason A. Donenfeld

• Prev by Date: Time Invariant String Comparison
• Next by Date: I'm really fed up with this list! News from the revolut.
• Previous by thread: Time Invariant String Comparison
• Next by thread: Re: Time Invariant String Comparison
• Index(es):
  • Date
  • Thread