Message162862
This point was discussed in #14532 when the new API was added.
From http://bugs.python.org/issue14532#msg158045:
"""Given that this issue has affected a lot of security-sensitive third-party code (keyczar, openid providers, almost every python web service that implements "secure cookies" [1] or other HMAC-based REST API signatures), I do like the idea of adding a warning in the relevant documentation as sbt proposed.
The only reason I'd recommend _not_ putting a time_independent_comparison() function in the hmac module is that it's not really HMAC-specific. In practice, any fixed-length secrets should be compared in a time-independent manner. It just happens that HMAC verification is a pretty common case for this vulnerable construct. :-)"""
For password hashing, the attacker is unlikely to be able to provide the digest directly, but for signature checking it's far more likely to be the case.
The idea is to make it easy for people to reduce the time variance of their digest comparisons as the *default* choice when writing security related code. Deciding whether or not the risk of a timing attack is actually significant requires you to look at the system as a whole and decide "Oh, OK, shortcircuiting comparison doesn't leave us open to timing analysis here, we can use it as a performance enhancement". (Although, in most systems, there are likely to be plenty of other less sensitive places to go after for performance improvements first) |
|
Date |
User |
Action |
Args |
2012-06-15 07:59:43 | ncoghlan | set | recipients:
+ ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, hynek |
2012-06-15 07:59:43 | ncoghlan | set | messageid: <1339747183.87.0.718599175898.issue15061@psf.upfronthosting.co.za> |
2012-06-15 07:59:43 | ncoghlan | link | issue15061 messages |
2012-06-15 07:59:42 | ncoghlan | create | |
|