Re: HMAC verification with EVP Interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular
> > ol' memcmp.
>
> What's the rationale?  The HMAC result isn't secret.

The _purported_ tag is public, but the _ground truth_ tag is not.
Indeed, that's the whole reason to use a constant time compare.
Otherwise, an attacker can adaptively construct a valid tag, or
forgery, for a chosen message (with no previous valid tag seen) by
varying tag bytes and submitting a chosen message with the candidate
tag for verification, and measuring the time. A regular memcmp will
early exit on the first mismatch between the purported tag and the
ground truth tag. In this way, the attack is linear in complexity.

This is the textbook example I give in my crypto courses for timing attacks.

Cheers,

BBB



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux