rfc:timing_attack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:timing_attack [2013/12/22 17:20] – realityking | rfc:timing_attack [2014/04/13 21:33] – realityking | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Request for Comments: Timing attack safe string comparison function ====== | ====== Request for Comments: Timing attack safe string comparison function ====== | ||
- | * Version: | + | * Version: 1.0 |
* Date: 2013-12-22 | * Date: 2013-12-22 | ||
- | * Author: Rouven Weßling, me@rouvenwessling | + | * Author: Rouven Weßling, me@rouvenwessling.de |
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 17: | Line 17: | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | Implement a new function called | + | Implement a new function called |
- | Signature bool str_equals(string knownString, | + | Signature bool hash_compare(string knownString, |
- | The time this function takes is based only on two variables: | + | The time this function takes is based only on the length of the user supplied string. |
- | * length of userString | + | |
- | * whether | + | |
- | + | ||
- | The latter is a slight information leak but so uncommon it shouldn' | + | |
Users have to be mindful, as it is important that the user supplied string (or a hash of that string) is used as the the second parameter not the first. | Users have to be mindful, as it is important that the user supplied string (or a hash of that string) is used as the the second parameter not the first. | ||
Line 40: | Line 36: | ||
None. | None. | ||
- | |||
- | ===== Open Issues ===== | ||
- | |||
- | * Decide on a name for the function. | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
Patch including tests: https:// | Patch including tests: https:// | ||
+ | |||
+ | ===== Vote ===== | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
===== References ===== | ===== References ===== | ||
Line 56: | Line 55: | ||
* [[https:// | * [[https:// | ||
* [[https:// | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Changelog ===== | ||
+ | * 0.1 Initial publication | ||
+ | * 0.2 Renamed to hash_compare, | ||
+ | * 1.0 Moved function to ext/hash. Started voting. |
rfc/timing_attack.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1