This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author petri.lehtinen
Recipients arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, petri.lehtinen, pitrou
Date 2012-06-15.08:36:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1339749390.16.0.806917032947.issue15061@psf.upfronthosting.co.za>
In-reply-to
Content
For example, Django uses time independent comparison to compare signatures of signed cookies. A signed cookie consists of a plain-text value followed by a signature.

An attacker wants to construct a cookie that has a malformed value and a valid signature for that value. Let's assume that a signature is a string of 16 hex characters.

If a short-cut comparison was used, the attacker would require at most 16 tries to find out the first character. He first tries the signature "000...0", then "100...0", and so on until he notices that Django takes a slightly longer time to respond. Now he know what's the first character of the hash, let's assume it's "8". He then tries "8000...0", "810...0", and so on until he finds the second character. He continues this until he has the correct 16 characters. This takes at most 16 * 16 tries.

But because Django uses a constant-time comparison function, the attacker cannot guess one character at a time, and he needs 16 ** 16 tries.

In real world, 16 * 16 tries is not enough, of course. But repeating the same requests many times, the timing variations can be used to reveal which is the correct character in each step.
History
Date User Action Args
2012-06-15 08:36:30petri.lehtinensetrecipients: + petri.lehtinen, loewis, arigo, ncoghlan, pitrou, christian.heimes, fijall, hynek
2012-06-15 08:36:30petri.lehtinensetmessageid: <1339749390.16.0.806917032947.issue15061@psf.upfronthosting.co.za>
2012-06-15 08:36:29petri.lehtinenlinkissue15061 messages
2012-06-15 08:36:29petri.lehtinencreate