"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > When we're comparing a push cert nonce, we currently do so using strcmp. > Most implementations of strcmp short-circuit and exit as soon as they > know whether two values are equal. This, however, is a problem when > we're comparing the output of HMAC, as it leaks information in the time > taken about how much of the two values match if they do indeed differ. > > In our case, the nonce is used to prevent replay attacks against our > server via the embedded timestamp and replay attacks using requests from > a different server via the HMAC. Push certs, which contain the nonces, > are signed, so an attacker cannot tamper with the nonces without > breaking validation of the signature. They can, of course, create their > own signatures with invalid nonces, but they can also create their own > signatures with valid nonces, so there's nothing to be gained. Thus, > there is no security problem. > > Even though it doesn't appear that there are any negative consequences > from the current technique, for safety and to encourage good practices, > let's use a constant time comparison function for nonce verification. > POSIX does not provide one, but they are easy to write. Devil's advocate mode on. If the HMAC plus digital signature are the real security, even though writing this patch may be a nice mental exercise, is there a merit in deliberately adding more code and making the code immesurably slower by applying it? You just established in the previous paragraph that "for safety" is a red herring.
