lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Jan 16, 2014, at 3:44 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Hi guys,
> 
> Over at cgit [1] we use Lua for our authentication framework [2]. One
> thing we're doing wrong is lines like these:
> 
> 	if password == post["password"] then
> 
> Since an attacker can control the post params, this test is vulnerable
> to a timing attack, by which an attacker could determine the password
> one character at a time by analysis of response time.
> 
> What I'm looking for is some clever way in Lua to compare two strings
> in a time invariant way. Any suggestions?
> 
> Thanks,
> Jason
> 
> 
> [1] http://git.zx2c4.com/cgit/
> [2] http://git.zx2c4.com/cgit/tree/filters/simple-authentication.lua
> 

First, I would not rely on language behaviors such as string compare time for security .. as others have explained here this varies from version to version (and even different build options) within Lua. Second, the normal approach here is to ALWAYS inject a significant (and pseudo-random) delay when responding to invalid credentials. This not only prevents time analysis attacks, it also protects against brute-force and dictionary attacks since it makes them take impractically long times. Don’t rely on the network being slow for this either.

—Tim