This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou
Date 2012-06-15.08:32:48
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1339749169.68.0.0669673642602.issue15061@psf.upfronthosting.co.za>
In-reply-to
Content
That's why the vulnerable cases are far more likely to be related to *signature* checking. In those you can generally provide both the hash input (the message) and the hash target (the purported "signature").

If the signature check uses a time-dependent comparison that exhibits a lot of externally visible variance, then you can use a timing attack to find the signature that corresponds to a particular message (by keeping the message constant and changing the "signature"). Depending on the nature of the message, you're potentially done at that point (since on your final attempt your signed message was accepted), or else you may be after data that you can feed into an analysis aimed at breaking the signing key itself (a much harder prospect, but still possible given a sufficiently large sample, or a signing algorithm that is vulnerable to leaking the key as a result of chosen plaintext attacks).

Yes, system level defences are also important (that's why multiprocessing turned out to not, in fact, be vulnerable to an attack based on time dependent signature comparisons), but minimising information leakage is just a good principle of secure design.
History
Date User Action Args
2012-06-15 08:32:49ncoghlansetrecipients: + ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, hynek
2012-06-15 08:32:49ncoghlansetmessageid: <1339749169.68.0.0669673642602.issue15061@psf.upfronthosting.co.za>
2012-06-15 08:32:49ncoghlanlinkissue15061 messages
2012-06-15 08:32:48ncoghlancreate