Re: streql - Constant-time string comparison
On 29/10/14 19:55, Richard van den Berg wrote:
> On 28-10-14 20:59 , Riley Baird wrote:
>> As far as I can tell, your code ensures that even if the strings are of
>> different length, an equality calculation should be performed anyway,
>> however returning 0, on the grounds that this would make it more
>> difficult for an attacker to know that the two strings entered were of
>> different lengths. Is this right?
>
> Pardon my ignorance, but how much more difficult does it actually become
> to determine the two inputs are of different length? In the original the
> function returns right away if xlen != ylen. If the attacker can control
> one of the inputs (say x), the change proposed by Joel will cause the
> time of the compare to increment when xlen in increased until xlen ==
> ylen. If this can be observed with enough precision the same objective
> can be achieved.
Good point. Perhaps this could be fixed by,
origleny=len(y)
while len(x) >= len(y):
y += '0'
result = i = 0
for i in xrange(len(x)):
result |= ord(x[i]) ^ ord(y[i])
return result == 0 and len(y) == origleny
This way, the time taken to complete the function will increase even
after xlen >= ylen
However, with this I'm concerned that the 'while' loop will take up too
much time, thus still allowing an attacker to see when the string
lengths become equal. Is there a quicker way to append zeros to a string
such that it is equal in length to the other string?
Reply to: