Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AES-GCM: why BLAKE2s? #800

Closed
neomafo88 opened this issue Mar 11, 2024 · 1 comment
Closed

AES-GCM: why BLAKE2s? #800

neomafo88 opened this issue Mar 11, 2024 · 1 comment

Comments

@neomafo88
Copy link

https://github.com/Legrandin/pycryptodome/blob/master/lib/Crypto/Cipher/_mode_gcm.py#L478-L508

I was reviewing the verify method for my use case (wanted to return both self._compute_mac() in the case of a mismatch, instead of the current raise ValueError("MAC check failed")), and wondering why it is not just a simple comparison of self._compute_mac() == received_mac_tag?
@Varbin
Copy link
Contributor

Varbin commented Mar 11, 2024

This is to prevent timing attacks. The == operatore compares byte by byte. It "stops" as soon as the first byte mismatches. In a typical scenario (e.g. a server validates incoming GCM messages) where an attacker who tries to spoof messages, could measure how much bytes of the MAC of the spoofed message they 'guessed' correctly.

The blake2 hash randomizes - 'blinds' - the comparison, so repeated measurements does not leak any information about the MAC tag.

An alternative to blinding would be hmac.compare_digest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Varbin @neomafo88