Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Patch: Fixing Loopholes for Timing Attacks #3

Open
wants to merge 7 commits into
base: master
from

Conversation

@marcoonroad
Copy link
Owner

marcoonroad commented Sep 8, 2019

This PR is open to track changes and further discussion. This patch introduces the eqaf library dependence and some refactorings. I need to make both execution flows in case of success and failure to match in their own approximate execution times. In this sense:

  • I compare strings/bytes in constant time (see eqaf);
  • I decrypt the ciphertext even if the MAC tags don't match (obviously the result plaintext is ignored and computation fails);
  • Many recursive calls which would trigger a Garbage Collection (either minor-to-major heap promotion or major heap compaction) are avoided by using imperative loops provided by OCaml syntax.

More discussion is still needed here.

marcoonroad added 7 commits Aug 25, 2019
… vulnerabilities by the means of timing attacks

Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
…pening phase

Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
…t Makefile step

Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
…OCaml +4.07 during CI build

Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
Signed-off-by: Marco Aurélio da Silva <marcoonroad@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.