Constant time comparison for URL tokens

Question

Constant time comparison for URL tokens

Closed this issue 12 years ago · 6 comments

stefanw commented 12 years ago

Both drop_id and editor_token seem to be vulnerable to a timing attack.

Use a constant time comparison when processing requests to avoid that an attacker can guess secret URLs.

Answer 1 · 2012-07-30T20:20:33.000Z

i agree. this seems to be covered by issue #2 already, though. we definitely need better randomness here.

thanks!

Answer 2 · 2012-07-30T22:10:23.000Z

No, this is not related to #2. A better source of randomness will not protect you against a timing attack.

The currently implemented comparison:

if dropbox.editor_token == request.matchdict['editor_token']:

in the function dropbox_editor_factory can be timed and a valid editor_token can be determined from enough measurements.

A function that compares two values in constant time mitigates this type of attack (for an example, see Django's constant_time_compare).

I applaud ZeitOnline's step to open source this tool, but if it is to be taken seriously, you should know about these types of attacks and take these issues seriously.

Answer 3 · 2012-07-30T22:51:34.000Z

And if you're tempted to think "You can’t possibly measure that, can you?", you might want to read this:

We have shown that, even though the Internet induces significant timing jitter, we can reliably distinguish remote timing differences as low as 20µs. A LAN environment has lower timing jitter, allowing us to reliably distinguish remote timing differences as small as 100ns (possibly even smaller). These precise timing differences can be distinguished with only hundreds or possibly thousands of measurements.

Opportunities And Limits Of Remote Timing Attacks

Answer 4 · 2012-07-30T23:17:45.000Z

i stand corrected. thanks for the follow up and the links.

Answer 5 · 2012-07-31T15:41:00.000Z

this has been addressed now in the 0.1.3 release (https://github.com/ZeitOnline/briefkasten/blob/master/CHANGES.rst#013---2010-07-31), specifically in 852e37c

feel free to re-open if you have any issue with that implementation. thanks again!

Answer 6 · 2012-07-31T16:08:18.000Z

For the drop_id you check if a directory with that name exists on the file system. I'm not a security expert, but it's very likely that this would also suffer from a timing attack.

Since it's a system call, you can't really implement it yourself in constant time. But you can add a small, random delay in get_dropbox on KeyError with a time.sleep. I have no idea if this is the best approach though.