Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 24 Sep 2016 10:30:01 -0400
From: Scott Arciszewski <scott@...agonie.com>
To: passwords@...ts.openwall.com
Subject: Re: Blog Post about Password Resets

On Sat, Sep 24, 2016 at 7:03 AM, Alex Smirnoff <ark@...ex.net> wrote:

> Sorry, I did not get the idea.
>
> If you use the whole token's hash as both the selector and verifier,
> wouldn't
> it be easier just to make a verification function that works at a constant
> time?


​Your database lookup, which is a search operation, cannot be relied to be
constant-time.


> (and aren't timing attacks already impactical even if you do not,
> because the attacker cannot manipulate arbitray bytes in the hash?)
>

Well, to begin with:
 Nobody else has prehashing the verifier.
​
​

W
​hat this means is they're doing is:

​    ​
SELECT userid FROM reset_tokens WHERE token = ​'{$some
​AttackerProvided​
String}' AND expires < NOW()

...which​ means they're in a position to leverage any timing leaks that may
exist in the database software's search algorithm.

​Now, even if someone were to prehash with SHA256 to attempt to mitigate
this, the output of SHA256 is deterministic. You might not be able to
manipulate the bytes, but you can create candidate values that will leak
timing information about the first N bytes of the stored hash. Whether or
not an attacker could leverage this into a full exploit remains to be seen.
It would remain an interesting problem for attackers and defenders alike.

Using a split-token approach solves this problem by separating the
timing-leaky operation (the database lookup) from the constant-time
operation (the cryptographic verification). Even if you find a way to
reliably control one, you gain no information about the other. This design
decision totally stops timing leaks from being useful at all.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>​

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.