Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70854 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6643 invoked from network); 23 Dec 2013 10:11:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Dec 2013 10:11:47 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.75 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.75 smtp75.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.75] ([108.166.43.75:55525] helo=smtp75.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/F4-08405-06C08B25 for ; Mon, 23 Dec 2013 05:11:45 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 1FB6B1E88A0; Mon, 23 Dec 2013 05:11:42 -0500 (EST) X-Virus-Scanned: OK Received: by smtp2.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id DC1D31E886C; Mon, 23 Dec 2013 05:11:39 -0500 (EST) Message-ID: <52B80C5B.2050208@sugarcrm.com> Date: Mon, 23 Dec 2013 02:11:39 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: =?UTF-8?B?Um91dmVuIFdlw59saW5n?= , "internals@lists.php.net" References: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> In-Reply-To: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Timing attack safe string comparison function From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > I'd like to propose this RFC to introduce a time-constant string > comparison function: https://wiki.php.net/rfc/timing_attack I wonder how practical this would be. There are probably many side channels in PHP related to how PHP manages memory, copies variables, processes opcodes, etc. so I wonder if providing such function for PHP API would practically add anything or if you should be doing crypto that sensitive in PHP anyway? -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227