Le 27/06/2014 19:38, Michael Richardson a écrit :
Terry Moore <tmm%mcci.com@localhost> wrote:
>> Thank you for your continued explanation and patience.
> Thank you in turn for getting me to clarify my thoughts. (It's an
> interesting question -- how best to discourage these kinds of attacks.)
I'm a little surprised at the techniques.
I'd think that the right answer is, whenever it fails for any reason
at all, that it should perform sleep(base+rand()) before answering. One
could even time all of the various failures and adjust base to be the
average time it has failed, if one had a stable place outside of a single
process to store the running average.
It seems that the mechanisms used simply penalize legitimate users
with code that isn't optimized well.
That depends on the way you implement failure/success checks.On one hand when you are doing hash-style checks (like HMACs), validity is essentially a check on the resulting value: legitimate users are _always_ penalized because a naive strcmp() will always run to completion before returning 0 (full string check), whereas an invalid hash will return != 0 result before reaching the end of the byte string where they differ.
In that scenario illegitimate users have a lower computation time than legitimate ones because their computation will end earlier. Constant time checks is good because it penalizes illegitimate accesses without adding too much computation time for legitimate ones (it forces the full string check even when the first byte is invalid).
On the other hand there are other systems (challenge based ones) where legitimate/illegitimate accesses can be designed so that illegitimate accesses get increasing penalty (zero knowledge proofs can have increasing round checks which require computation on the side of the prover). Out of scope there.
IMHO adding sleep(base + rand()) here is not productive. After all bozo is in the situation of comparing two byte strings (~= hash check), so the legimitate user is already penalized by bozo when it has to validate the entire string. Randomizing the sleep just increases the signal/noise ratio. IMHO constant time checks is better.
You are right on the indistinguishability of the error (good example is CVE-2008-5161).
Cheers all, -- Jean-Yves Migeon