[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Time Invariant String Comparison
- From: Rob Kendrick <rjek@...>
- Date: Thu, 16 Jan 2014 12:50:31 +0000
On Thu, Jan 16, 2014 at 06:39:28AM -0600, Paige DePol wrote:
> On Jan 16, 2014, at 6:30 AM, Elias Barrionovo <elias.tandel@gmail.com> wrote:
>
> > On Jan 16, 2014 9:55 AM, "Daniel Silverstone" <dsilvers@digital-scurf.org> wrote:
> > > Lua's strings are interned and hashed. As a result, string comparison for
> > > equality is pretty much constant time :)
> >
> > Unless it's Lua >= 5.2 and the password is really large, like >32 bytes large. But this can be changed at compile time.
>
> As for the password attack, wouldn't just adding a tiny random delay to each request negate such a problem?
Depends on the quality of your RNG. If you use /dev/random then you've
just changed the attack from a timing attack on passwords to an entropy
depletion attack.
B.