Re: const time authentication in bozohttpd

To: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Subject: Re: const time authentication in bozohttpd
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Thu, 26 Jun 2014 20:45:38 +0100

Joerg Sonnenberger <joerg%britannica.bec.de@localhost> wrote:
> On Wed, Jun 25, 2014 at 08:08:57PM +0100, Mindaugas Rasiukevicius wrote:
> > "Terry Moore" <tmm%mcci.com@localhost> wrote:
> > > Perhaps this is a silly comment; but wouldn't it be easier to simply
> > > time stamp the incoming request, and then spin for any authentication
> > > failure until a suitable fixed time has elapsed after the inbound
> > > arrival? Or are you worried about local cache-interference attacks as
> > > well? 
> > 
> > Why fixed time?  Make it random time.
> 
> Random noise can be filtered out moderately easy.

If you add it on top of the memcmp(), then yes.  Not if you make the total
time random (take a timestamp from before the operation), just need ensure
that it is above the upper bound.

-- 
Mindaugas

Follow-Ups:
- Re: const time authentication in bozohttpd
  - From: Lars Heidieker

References:
- Re: const time authentication in bozohttpd
  - From: Mindaugas Rasiukevicius
- Re: const time authentication in bozohttpd
  - From: Joerg Sonnenberger

Prev by Date: Re: Login not reading /etc/login.conf.db
Next by Date: Re: Login not reading /etc/login.conf.db
Previous by Thread: Re: const time authentication in bozohttpd
Next by Thread: Re: const time authentication in bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index