tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: const time authentication in bozohttpd



On 6/25/14, 6:20 PM, Terry Moore wrote:
> The delay time can be any time you like, as long as the minimum delay
> is greater than the longer of path (1) and path (2).  You are going to
> disclose the fact that user+password are invalid, in any case; but you
> should not disclose more info than that.

Hi, Terry.

It still isn't clear to me how to choose a delay time that is portable
and usable.  That's why I'm asking how you would actually choose it.  To
be more specific, how do you determine the time for path (1) and path
(2)?  Is that time the same on all hardware?  I bet not.  Is that time
the same under various system loads?  I don't know.  How do you make it
portable?

Maybe you choose the delay time to be so long that you are sure that,
regardless of hardware, load, or any other factors, it will be equal to
or longer than the greater of path (1) and path (2).  Is the delay time
actually reasonable at this point, or is it so long that it hurts the
usability of the authentication?

I'm just trying to understand how your method would work.  I can
understand, for example, introducing a random delay to defend against
a timing attack based on the analysis of the timing of network packets
corresponding to keyboard key presses of a user typing their password.
In that case, we can determine roughly how fast an average user might
type, and we can introduce a random delay that would disrupt timing
analysis.  What I'm not clear on is how you can do the same thing in a
portable way for computer hardware.

Best,

Lewis


Home | Main Index | Thread Index | Old Index