Message162858
| Author |
fijall |
| Recipients |
arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou |
| Date |
2012年06月15日.07:49:06 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<CAK5idxRGQ-aGTWpi78O=OhwFpKpG=UM2+3TrSCDbc70cE=ggVw@mail.gmail.com> |
| In-reply-to |
<1339746101.2.0.168012572077.issue15061@psf.upfronthosting.co.za> |
| Content |
On Fri, Jun 15, 2012 at 9:41 AM, Nick Coghlan <report@bugs.python.org>wrote:
>
> Nick Coghlan <ncoghlan@gmail.com> added the comment:
>
> To repeat, the specific feature being proposed for retention is:
>
> * a function called hmac.total_compare() that is clearly documented as
> being still vulnerable to timing analysis given a sufficiently
> sophisticated attacker, while still being more resistant to such analysis
> than the standard comparison operator
>
> * restricting that function to operating on bytes, to eliminate timing
> variations associated with encoding/decoding of Unicode text and reduce
> those associated with the calculation of integer values
>
> Leaking less information on each comparison is intended to increase the
> effectiveness of higher level timing attack countermeasures (such as rate
> limiting and lockouts). Anyone that would use "hmac.total_compare" and call
> it done is likely using ordinary comparison today (which is even worse).
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue15061>
> _______________________________________
>
Nick, I fail to understand why are you opposing writing such a function in
C. Such a function can be provably time-independent (and as MvL says this
is a binary state), at least as long as it operates on bytes (I'll refrain
from asking about unicode, I think it's possible, but I dunno).
For the same function in python it's at the very least much harder to prove
(and has bugs as we've seen)
Cheers,
fijal |
|