Re: Time Invariant String Comparison

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Time Invariant String Comparison
From: Coda Highland <chighland@...>
Date: Thu, 16 Jan 2014 07:14:30 -0800

On Thu, Jan 16, 2014 at 5:01 AM, Oliver Kroth <oliver.kroth@nec-i.de> wrote:
> Why not use hashed passwords, which is a better idea anyway as this takes a
> length independent time, and you may store the credentials in a safe way?

This is the best solution to the problem. The hashing function has
fixed-length output making the comparison immune to timing attacks,
and its own execution time is based only on the length of the input
and leaks no information about the real password.

/s/ Adam

Follow-Ups:
- Re: Time Invariant String Comparison, Pierre Chapuis

References:
- Time Invariant String Comparison, Jason A. Donenfeld
- Re: Time Invariant String Comparison, Daniel Silverstone
- Re: Time Invariant String Comparison, Elias Barrionovo
- Re: Time Invariant String Comparison, Paige DePol
- Re: Time Invariant String Comparison, Oliver Kroth

Prev by Date: Re: Time Invariant String Comparison
Next by Date: Re: [ANN] stdlib 36 released
Previous by thread: Re: Time Invariant String Comparison
Next by thread: Re: Time Invariant String Comparison
Index(es):
- Date
- Thread