Re: Time Invariant String Comparison

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Time Invariant String Comparison
From: Daniel Silverstone <dsilvers@...>
Date: Thu, 16 Jan 2014 11:55:05 +0000

On Thu, Jan 16, 2014 at 12:44:53 +0100, Jason A. Donenfeld wrote:
> Over at cgit [1] we use Lua for our authentication framework [2]. One
> thing we're doing wrong is lines like these:
> 
> 	if password == post["password"] then
> 
> Since an attacker can control the post params, this test is vulnerable
> to a timing attack, by which an attacker could determine the password
> one character at a time by analysis of response time.
> 
> What I'm looking for is some clever way in Lua to compare two strings
> in a time invariant way. Any suggestions?

Lua's strings are interned and hashed.  As a result, string comparison for
equality is pretty much constant time :)

D.

-- 
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69

Follow-Ups:
- Re: Time Invariant String Comparison, Elias Barrionovo

References:
- Time Invariant String Comparison, Jason A. Donenfeld

Prev by Date: Time Invariant String Comparison
Next by Date: I'm really fed up with this list! News from the revolut.
Previous by thread: Time Invariant String Comparison
Next by thread: Re: Time Invariant String Comparison
Index(es):
- Date
- Thread