Message 162858 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	fijall
Recipients	arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou
Date	2012-06-15.07:49:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<CAK5idxRGQ-aGTWpi78O=OhwFpKpG=UM2+3TrSCDbc70cE=ggVw@mail.gmail.com>
In-reply-to	<1339746101.2.0.168012572077.issue15061@psf.upfronthosting.co.za>

Content
On Fri, Jun 15, 2012 at 9:41 AM, Nick Coghlan <report@bugs.python.org>wrote: > > Nick Coghlan <ncoghlan@gmail.com> added the comment: > > To repeat, the specific feature being proposed for retention is: > > * a function called hmac.total_compare() that is clearly documented as > being still vulnerable to timing analysis given a sufficiently > sophisticated attacker, while still being more resistant to such analysis > than the standard comparison operator > > * restricting that function to operating on bytes, to eliminate timing > variations associated with encoding/decoding of Unicode text and reduce > those associated with the calculation of integer values > > Leaking less information on each comparison is intended to increase the > effectiveness of higher level timing attack countermeasures (such as rate > limiting and lockouts). Anyone that would use "hmac.total_compare" and call > it done is likely using ordinary comparison today (which is even worse). > > ---------- > > _______________________________________ > Python tracker <report@bugs.python.org> > <http://bugs.python.org/issue15061> > _______________________________________ > Nick, I fail to understand why are you opposing writing such a function in C. Such a function can be provably time-independent (and as MvL says this is a binary state), at least as long as it operates on bytes (I'll refrain from asking about unicode, I think it's possible, but I dunno). For the same function in python it's at the very least much harder to prove (and has bugs as we've seen) Cheers, fijal

On Fri, Jun 15, 2012 at 9:41 AM, Nick Coghlan <report@bugs.python.org>wrote:

>
> Nick Coghlan <ncoghlan@gmail.com> added the comment:
>
> To repeat, the specific feature being proposed for retention is:
>
> * a function called hmac.total_compare() that is clearly documented as
> being still vulnerable to timing analysis given a sufficiently
> sophisticated attacker, while still being more resistant to such analysis
> than the standard comparison operator
>
> * restricting that function to operating on bytes, to eliminate timing
> variations associated with encoding/decoding of Unicode text and reduce
> those associated with the calculation of integer values
>
> Leaking less information on each comparison is intended to increase the
> effectiveness of higher level timing attack countermeasures (such as rate
> limiting and lockouts). Anyone that would use "hmac.total_compare" and call
> it done is likely using ordinary comparison today (which is even worse).
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue15061>
> _______________________________________
>

Nick, I fail to understand why are you opposing writing such a function in
C. Such a function can be provably time-independent (and as MvL says this
is a binary state), at least as long as it operates on bytes (I'll refrain
from asking about unicode, I think it's possible, but I dunno).

For the same function in python it's at the very least much harder to prove
(and has bugs as we've seen)

Cheers,
fijal

History
Date	User	Action	Args
2012-06-15 07:49:07	fijall	set	recipients: + fijall, loewis, arigo, ncoghlan, pitrou, christian.heimes, hynek
2012-06-15 07:49:06	fijall	link	issue15061 messages
2012-06-15 07:49:06	fijall	create