Message162880
Oh dead god, what have I done ... I threw a small stone and caused a major landslide. :)
I'm all with Nick on this topic. A correctly named and documented function provides a tool to users that greatly reduced the change of a side channel attack. It's all about teaching good practice. I also agree that we must neither call it 'secure' nor documented it as 'secure'. I believe the correct term is 'hardened against timing analysis and side channel attacks'
I could wrap up a quick C implementation if you like. The operator module is a better place for a total_compare() function. Do you a agree?
I recommend that you read/watch Geremy Condra's PyCon talk "Through the Side Channel: Timing and Implementation Attacks in Python". The slides contain timing analysis diagrams. |
|
Date |
User |
Action |
Args |
2012-06-15 10:00:22 | christian.heimes | set | recipients:
+ christian.heimes, loewis, ncoghlan, pitrou, fijall, petri.lehtinen, hynek |
2012-06-15 10:00:22 | christian.heimes | set | messageid: <1339754422.02.0.747287512063.issue15061@psf.upfronthosting.co.za> |
2012-06-15 10:00:20 | christian.heimes | link | issue15061 messages |
2012-06-15 10:00:20 | christian.heimes | create | |
|