Re: Time Invariant String Comparison

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Time Invariant String Comparison
From: Javier Guerra Giraldez <javier@...>
Date: Fri, 17 Jan 2014 08:25:08 -0500

On Fri, Jan 17, 2014 at 5:08 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
> It has also been suggested, in effect, that your code should be
> saying
>
>     if encrypted_password == encrypt(post.password) then
>
> You could also have cryptography at both ends:
>
> 1. Client sends a request to authenticate.
> 2. Server sends a message together with the request: calculate
>    encrypt(message,key) using your secret password as key,
>    and send me the result. While waiting for the response, server
>    does the same calculation.
> 3.Program does
>    if encryption == post.encryption then


s/encryption/hashing/g

-- 
Javier

References:
- Time Invariant String Comparison, Jason A. Donenfeld
- Re: Time Invariant String Comparison, Dirk Laurie

Prev by Date: behaviour of assert on non-string errors
Next by Date: Re: [ANN] push-decoding of bencoded messages
Previous by thread: Re: Time Invariant String Comparison
Next by thread: Re: Time Invariant String Comparison
Index(es):
- Date
- Thread