Re: Time Invariant String Comparison

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Time Invariant String Comparison
From: Coda Highland <chighland@...>
Date: Thu, 16 Jan 2014 16:18:39 -0800

On Thu, Jan 16, 2014 at 4:02 PM, Tim Hill <drtimhill@gmail.com> wrote:
> First, I would not rely on language behaviors such as string compare time for security .. as others have explained here this varies from version to version (and even different build options) within Lua. Second, the normal approach here is to ALWAYS inject a significant (and pseudo-random) delay when responding to invalid credentials. This not only prevents time analysis attacks, it also protects against brute-force and dictionary attacks since it makes them take impractically long times. Don’t rely on the network being slow for this either.

It's less a question of RELYING on it for security as it is making
sure it's not a source of INsecurity. As has been described elsewhere
in the thread, a pseudorandom delay doesn't actually help (it just
makes a time analysis attack a little bit noisier) -- however a delay
that increases based on the number of failed attempts DOES help.

/s/ Adam

Follow-Ups:
- Re: Time Invariant String Comparison, Tim Hill

References:
- Time Invariant String Comparison, Jason A. Donenfeld
- Re: Time Invariant String Comparison, Tim Hill

Prev by Date: Re: I'm really fed up with this list! News from the revolut.
Next by Date: Re: I'm really fed up with this list! News from the revolut.
Previous by thread: Re: Time Invariant String Comparison
Next by thread: Re: Time Invariant String Comparison
Index(es):
- Date
- Thread