tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: const time authentication in bozohttpd

On Sun, Jun 29, 2014 at 06:08:29PM +0200, Jean-Yves Migeon wrote:
> IMHO adding sleep(base + rand()) here is not productive. After all bozo 
> is in the situation of comparing two byte strings (~= hash check), so 
> the legimitate user is already penalized by bozo when it has to validate 
> the entire string. Randomizing the sleep just increases the signal/noise 
> ratio. IMHO constant time checks is better.

The 'cost' of any memory compare will be absolutely minimal compared
to the cost of actually sending a TCP packet.

Is the time taken to do the password hash check actually measureable
on a remote system?
Go through a couple of routers and you'll get jitter.
Even the ethernet MAC's interrupt mitigation could well add enough jitter.

Of course, if you have to do another lookup against some database server
then that will add add a measurable delay.


David Laight:

Home | Main Index | Thread Index | Old Index