Re: Time Invariant String Comparison

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Time Invariant String Comparison
From: Paige DePol <lual@...>
Date: Thu, 16 Jan 2014 06:39:28 -0600

On Jan 16, 2014, at 6:30 AM, Elias Barrionovo <elias.tandel@gmail.com> wrote:

> On Jan 16, 2014 9:55 AM, "Daniel Silverstone" <dsilvers@digital-scurf.org> wrote:
> > Lua's strings are interned and hashed.  As a result, string comparison for
> > equality is pretty much constant time :)
> 
> Unless it's Lua >= 5.2 and the password is really large, like >32 bytes large. But this can be changed at compile time.
> 
> =) 

40 bytes by default (check LUAI_MAXSHORTLEN in luaconf.h).

As for the password attack, wouldn't just adding a tiny random delay to each request negate such a problem?

Also, wouldn't this type of attack only work against servers with very little server load, given the delay between checking two characters of a string would be exceedingly tiny?

~pmd~

Follow-Ups:
- Re: Time Invariant String Comparison, Rob Kendrick
- Re: Time Invariant String Comparison, Oliver Kroth

References:
- Time Invariant String Comparison, Jason A. Donenfeld
- Re: Time Invariant String Comparison, Daniel Silverstone
- Re: Time Invariant String Comparison, Elias Barrionovo

Prev by Date: Re: Time Invariant String Comparison
Next by Date: Re: BASIC-like Lua variant
Previous by thread: Re: Time Invariant String Comparison
Next by thread: Re: Time Invariant String Comparison
Index(es):
- Date
- Thread