Skip Menu |
 

This queue is for tickets about the Authen-Passphrase CPAN distribution.

Report information
The Basics
Id: 71317
Status: resolved
Priority: 0/
Queue: Authen-Passphrase

People
Owner: Nobody in particular
Requestors: ccurtis0 [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Module susceptible to timing attacks
Date: Wed, 28 Sep 2011 13:52:53 -0400
To: bug-Authen-Passphrase [...] rt.cpan.org
From: Christopher Curtis <ccurtis0 [...] gmail.com>
Download (untitled) / with headers
text/plain 447b
Hello, I installed Authen::Passphrase version 0.007-1 (Ubuntu) and looked at the source file for the BlowfishCrypt.pm module. The match routine uses an 'eq' comparison to determine equality. If I understand correctly, that means that this module may be susceptible to timing attacks. More details are available here: http://codahale.com/a-lesson-in-timing-attacks/ Many of the other modules also appear to suffer this problem. Thanks, Chris
Subject: Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date: Wed, 28 Sep 2011 19:18:00 +0100
To: Christopher Curtis via RT <bug-Authen-Passphrase [...] rt.cpan.org>
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 1.7k
Christopher Curtis via RT wrote: Show quoted text
>that means that this module may be susceptible to timing >attacks.
Indeed it is, though the impact of the timing attack there is very limited. At most it allows an attacker to determine the target hash, which he still has to reverse to produce an acceptable passphrase. But the hash isn't easy to extract, being obscured by the salting. I'd be a lot more concerned by the underlying cryptographic algorithms, implemented in a bunch of modules from diverse authors, most of which can be expected to be susceptible to timing and other side-channel attacks. S-box lookup, a very popular primitive, turns out to be susceptible to timing attacks based on cache behaviour, for a start. Perl as a whole, of course, has not been built as a platform for side-channel-resistant crypto. In any serious use of Perl for crypto, therefore, timing should be somewhat obscured, and you should not expect to defeat attackers who can monitor your power consumption very finely. Attacking the crypto algorithms under Authen-Passphrase could reveal the salt being used, which would be a big help in extracting the target hash by means of your original suggestion. But, as I noted, the attacker then still has to actually reverse the hash. These side-channel attacks are a much bigger worry in encryption situations, where a successful attack can directly reveal data being encrypted, or a key being relied upon for secrecy. If I were you I'd see that as a higher priority. I don't think I can seriously harden Authen-Passphrase against side-channel attacks. It's just not intended for use in situations where side-channel attacks are feasible. I can, however, put a note in the documentation to this effect. -zefram
Subject: Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date: Wed, 28 Sep 2011 15:57:42 -0400
To: bug-Authen-Passphrase [...] rt.cpan.org
From: Christopher Curtis <ccurtis0 [...] gmail.com>
Zefram via RT wrote : Show quoted text
> I'd be a lot more concerned by the underlying cryptographic algorithms, > implemented in a bunch of modules from diverse authors, most of which can > be expected to be susceptible to timing and other side-channel attacks.
I'm not concerned about most side-channel attacks; timing attacks are accessible over the network (especially, I would suspect, from a module called 'Authentication'), while the others tend to require much greater proximity. I agree that the problem presents something of a challenge. And I think we could both agree that different implementations would have different levels of susceptibility. I was thinking perhaps the test suite could check a large set of passphrases and measure if there are timing differences between individual match() calls, failing the test for that module if any match's time varied "too much" from another's. As it turns out, my application can't use the match() function so I'm manually comparing the as_crypt() output. For this reason I think adding a note in the documentation would definitely be good. Chris
Subject: Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date: Wed, 28 Sep 2011 21:05:09 +0100
To: Christopher Curtis via RT <bug-Authen-Passphrase [...] rt.cpan.org>
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 1.1k
Christopher Curtis via RT wrote: Show quoted text
>I'm not concerned about most side-channel attacks; timing attacks are >accessible over the network
Yes, but there's naturally quite a bit of fuzzing applied in network situations. I doubt you could detect how far through the string the eq went. I think you'd need at least page faults to get a detectable timing difference. The only timing attack that I think is totally feasible over the network is to determine which hash algorithm is being used. You may well be able to tell the difference between existing and non-existing accounts that way, if you're guessing usernames. Hardening the individual algorithms doesn't fix that one. Show quoted text
>timing differences between individual match() calls, failing the test >for that module if any match's time varied "too much" from another's.
Automated timing tests are not feasible, because timing naturally varies quite a lot, which would produce a lot of false failures. I'm the current maintainer for Time::HiRes, which really *needs* timing tests, and I get a lot of failure reports from the CPAN Testers (or I did until they broke recently). I'm trying to make Time::HiRes's test suite a lot more forgiving on timing. -zefram
Doc note added in Authen-Passphrase-0.008.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.