tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: const time authentication in bozohttpd
On 6/25/14, 12:25 PM, Terry Moore wrote:
> Here's how it's typically done.
>
> Choose a time (say one second) (call this delta_t). Get the system
> clock before you start authentication (call this t_mark). After any
> failure on the authentication path, delay responding until t_now >=
> t_mark+delta_t. (The overflow-safe way to compute this (t_now -
> t_mark >= delta_t).
Hi, Terry.
How do you choose delta_t? Don't you have to be sure that delta_t
is always greater than or equal to the time needed to authenticate?
(Otherwise the times for a successful authentication and an unsuccessful
authentication could differ thereby leaking information, right?) How
can you choose delta_t in a portable way?
I thought the way authentication is typically done is to be sure you
do the same amount of work for both a successful authentication and an
unsuccessful authentication. Then you don't need to choose a delta_t.
Authentication takes however long it takes, but the key property is that
it takes the same amount of time regardless of whether it is successful
or unsuccessful.
Lewis
Home |
Main Index |
Thread Index |
Old Index