Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timing-attack-resistant string comparison #6

Merged
merged 1 commit into from Oct 26, 2014
Merged

Timing-attack-resistant string comparison #6

merged 1 commit into from Oct 26, 2014

Conversation

jboning
Copy link

@jboning jboning commented Sep 29, 2014

The current implementation leaks information about the correct value of
the OTP code in the string comparison, since python's string comparison
is short-circuiting. This fixes the vulnerability. See
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf for why this is
important even in network applications.

@jboning
Timing-attack-resistant string comparison
fd5ca54 
The current implementation leaks information about the correct value of
the OTP code in the string comparison, since python's string comparison
is short-circuiting. This fixes the vulnerability. See
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf for why this is
important even in network applications.
@kislyuk
Copy link
Member

kislyuk commented Sep 29, 2014

👍

@nathforge
Copy link

Sorry, I've been terrible at handling this repo, not got much time these days. Thanks for your help - if anybody's interested in helping maintain the project, give me a shout!

@nathforge nathforge closed this Oct 24, 2014
@jboning
Copy link
Author

jboning commented Oct 25, 2014

Did you mean to merge instead of closing? =)

@nathforge nathforge reopened this Oct 26, 2014
@nathforge
Copy link

Ha, yep, that's pretty rude otherwise!

nathforge added a commit that referenced this pull request Oct 26, 2014
@nathforge
Merge pull request #6 from jboning/timing
55ee6f6 
Timing-attack-resistant string comparison
@nathforge nathforge merged commit 55ee6f6 into pyauth:master Oct 26, 2014
@jboning jboning deleted the timing branch October 26, 2014 22:51
@kislyuk kislyuk mentioned this pull request Dec 2, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jboning @kislyuk @nathforge