Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timing vulnerability? #42

Closed
corporealfunk opened this issue Jul 12, 2012 · 5 comments
Closed

Timing vulnerability? #42

corporealfunk opened this issue Jul 12, 2012 · 5 comments

Comments

@corporealfunk
Copy link

I've been working on implementing bcrypt-ruby and have been reading about timing attacks, particularly your article here:

http://codahale.com/a-lesson-in-timing-attacks/

I notice that Devise (popular gem that uses bcrypt-ruby) implements a constant-time comparison algorithm in conjunction with bcrypt-ruby:

https://github.com/plataformatec/devise/blob/master/lib/devise.rb#L424

I also notice that bcrypt-ruby's BCrypt class inherits from Ruby's String class, and the BCrypt#== method simply calls up to super, thus comparing strings using Ruby's String#== method, which I assume is not a constant-time comparison algorithm.

Should BCrypt handle this constant time issue in it's comparison method?
@tylerhunt tylerhunt mentioned this issue Jul 18, 2012
Closed
@codahale
Copy link
Contributor

No. One of the desired properties of a cryptographic hash function is preimage attack resistance, which means there is no shortcut for generating a message which, when hashed, produces a specific digest.

Finding a first-preimage attack for bcrypt would be surprising, to say the least.

@waiting-for-dev
Copy link

Hey, I have been worried recently about this issue. I understand the reason why it is not needed, but it seems that other language implementations like timingsafe_bcmp.c in py-bcrypt or password_verify() in PHP use constant time functions, following defence in depth policy.

I just took this information from a post in security stackexchange:

For hashing schemes such as Bcrypt, Scrypt, etc., timing attacks are irrelevant. Using comparisons such as == and === isn't a problem. Having that said, using constant time comparison is a good practice as part of a defence-in-depth policy. In fact, many Bcrypt implementations already used timing-safe comparison just in case (timingsafe_bcmp.c in py-bcrypt, for example).

What do you think about it?

@tjschuck
Copy link
Collaborator

tjschuck commented May 6, 2015

@waiting-for-dev See #43 for much more information about why this is unnecessary.

Regarding "defense in depth" for this specific issue, @codahale said it best on #43:

It's like saying holding an umbrella gives you a "slight advantage" over holding nothing over your head when a piano is dropped on you.

@waiting-for-dev
Copy link

Ok, thanks for pointing me there :)

@codahale
Copy link
Contributor

codahale commented May 6, 2015

To be clear, I’ve personally softened my position since then. I don’t think using a constant-time comparison function adds any actual security, but if it makes people feel better (and therefore more likely to use bcrypt instead of rolling their own), the cost isn’t particularly high.

I’m not maintaining the codebase, however, so I’ll defer to those who would actually bear that cost.

@glittershark glittershark mentioned this issue Aug 6, 2015
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@codahale @waiting-for-dev @tjschuck @corporealfunk