Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72138
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62815 invoked from network); 3 Feb 2014 22:09:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:09:30 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.107 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.107 smtp107.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.107] ([108.166.43.107:52981] helo=smtp107.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C4/09-35654-89310F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:09:29 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp6.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 1346C98213;
	Mon,  3 Feb 2014 17:09:26 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp6.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id AA1F398210;
	Mon,  3 Feb 2014 17:09:25 -0500 (EST)
Message-ID: <52F0139C.2060102@sugarcrm.com>
Date: Mon, 03 Feb 2014 14:09:32 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Nikita Popov <nikita.ppv@gmail.com>, =?UTF-8?B?Um91dmVuIFdlw59saW5n?=
 <me@rouvenwessling.de>
CC: PHP internals <internals@lists.php.net>
References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <CAF+90c-32u=vVy4L4pB_OWGu2VmeUckxq8UW_AVJNC8iDtiWMQ@mail.gmail.com>
In-Reply-To: <CAF+90c-32u=vVy4L4pB_OWGu2VmeUckxq8UW_AVJNC8iDtiWMQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

>  * You are using MAX, i.e. an if-then-else branch. I'm pretty sure that the
> if and else branches will have different instruction counts in that case.
> Simple alternative would be something fixed like mod_len = known_len+1 or
> known_len&1.
>  * You leak information on mod_len / known_len, because you will have

If it's meant to compare hashes and other such things, we can presume
the attacker already knows what your code does, and thus knows what the
expected hash length is. What he doesn't know is what that hash is. The
timing attack is based on the fact that regular comparison drops after
first mismatch, so the attacker by trying different first symbols and
using time as oracle between match and mismatch, can guess the hash. The
length of the hash however is not useful for him - for most standard
crypto protocols all lengths are already known and even if you are using
some modifications basic crypto principles tell us to assume your
algorithm is known to the attacker and thus most probably your known
hash length is too.

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227