Re: const time authentication in bozohttpd

To: Terry Moore <tmm%mcci.com@localhost>
Subject: Re: const time authentication in bozohttpd
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Wed, 25 Jun 2014 14:04:08 -0500

On 6/25/14, 12:25 PM, Terry Moore wrote:
> Here's how it's typically done.
>
> Choose a time (say one second) (call this delta_t).  Get the system
> clock before you start authentication (call this t_mark). After any
> failure on the authentication path, delay responding until t_now >=
> t_mark+delta_t.  (The overflow-safe way to compute this (t_now -
> t_mark >= delta_t).

Hi, Terry.

How do you choose delta_t?  Don't you have to be sure that delta_t
is always greater than or equal to the time needed to authenticate?
(Otherwise the times for a successful authentication and an unsuccessful
authentication could differ thereby leaking information, right?)  How
can you choose delta_t in a portable way?

I thought the way authentication is typically done is to be sure you
do the same amount of work for both a successful authentication and an
unsuccessful authentication.  Then you don't need to choose a delta_t.
Authentication takes however long it takes, but the key property is that
it takes the same amount of time regardless of whether it is successful
or unsuccessful.

Lewis

Follow-Ups:
- RE: const time authentication in bozohttpd
  - From: Terry Moore
- RE: const time authentication in bozohttpd
  - From: Terry Moore

References:
- Re: const time authentication in bozohttpd
  - From: shm
- RE: const time authentication in bozohttpd
  - From: Terry Moore

Prev by Date: Re: add login.conf to getent(1)
Next by Date: Re: const time authentication in bozohttpd
Previous by Thread: RE: const time authentication in bozohttpd
Next by Thread: RE: const time authentication in bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index