1String::Compare::ConstaUnsteTrimCeo(n3t)ributed Perl DocSutmreinntga:t:iCoonmpare::ConstantTime(3)
2
3
4

NAME

6       String::Compare::ConstantTime - Timing side-channel protected string
7       compare
8

SYNOPSIS

10           use String::Compare::ConstantTime;
11
12           if (String::Compare::ConstantTime::equals($secret_data, $user_supplied_data)) {
13             ## The strings are eq
14           }
15
16       An example with HMACs:
17
18           use String::Compare::ConstantTime;
19           use Digest::HMAC_SHA1; ## or whatever
20
21           my $hmac_ctx = Digest::HMAC_SHA1->new($key);
22           $hmac_ctx->add($data);
23           my $digest = $hmac_ctx->digest;
24
25           if (String::Compare::ConstantTime::equals($digest, $candidate_digest)) {
26             ## The candidate digest is valid
27           }
28

DESCRIPTION

30       This module provides one function, "equals" (not exported by default).
31
32       You should pass this function two strings of the same length. Just like
33       perl's "eq", it will return true if they are string-wise identical and
34       false otherwise. However, comparing any two differing strings of the
35       same length will take a fixed amount of time. If the lengths of the
36       strings are different, "equals" will return false right away.
37

TIMING SIDE-CHANNEL

39       Some programs take different amounts of time to run depending on the
40       input values provided to them. Untrusted parties can sometimes learn
41       information you might not want them to know by measuring this time.
42       This is called a "timing side-channel".
43
44       Most routines that compare strings (like perl's "eq" and "cmp" and C's
45       "strcmp" and "memcmp") start scanning from the start of the strings and
46       terminate as soon as they determine the strings won't match. This is
47       good for efficiency but bad because it opens a timing side-channel. If
48       one of the strings being compared is a secret and the other is
49       controlled by some untrusted party, it is sometimes possible for this
50       untrusted party to learn the secret using a timing side-channel.
51
52       If the lengths of the strings are different, because "equals" returns
53       false right away the size of the secret string may be leaked (but not
54       its contents).
55

HMAC

57       HMACs are "Message Authentication Codes" built on top of cryptographic
58       hashes. The HMAC algorithm produces digests that are included along
59       with a message in order to verify that whoever created the message
60       knows a particular secret password, and that this message hasn't been
61       tampered with since.
62
63       To verify a candidate digest included with a message, you re-compute
64       the digest using the message and the secret password. If this computed
65       digest is is the same as the candidate digest then the message is
66       considered authenticated.
67
68       A common side-channel attack against services that verify unlimited
69       numbers of messages automatically is to create a forged message and
70       then just send some random junk as the candidate digest. Continue
71       sending this message and junk digests that vary by the first character.
72       Repeat many times. If you find a particular digest that statistically
73       takes a longer time to be rejected than the other digests, it is
74       probably because this particular digest has the first character correct
75       and the service's final string comparison is running slightly longer.
76
77       At this point, you keep this first character fixed and start varying
78       the second character until it is solved. Repeat until all the
79       characters are solved or until the amount of remaining possibilities
80       are so small you can brute force it. At this point, your candidate
81       digest is considered valid and you have forged a message.
82
83       Note that this particular attack doesn't allow the attacker to recover
84       the secret input key to the HMAC but nevertheless can produce a valid
85       digest for any message given enough time because the service that
86       validates the HMAC is acting as an "oracle".
87
88       NOTE: Although this module protects against a common attack against
89       applications that store state in browser cookies, it is in no way an
90       endorsement of this practise.
91

LOCK-PICKING ANALOGY

93       Pin tumbler locks are susceptible to being picked in a similar way to
94       an attacker forging HMAC digests using a timing side-channel.
95
96       The traditional way to pick cheap pin tumbler locks is to apply torque
97       to the lock cylinder so that the pins are pressed against the cylinder.
98       However, because of slight manufacturing discrepancies one particular
99       pin will be the widest by a slight margin and will be pressed against
100       the cylinder tighter than the others (the cheaper the lock, the higher
101       the manufacturing tolerances). The attacker lifts this pin until the
102       cylinder gives a little bit, indicating that this pin has been solved
103       and the next widest pin is now the one being pressed against the
104       cylinder the tightest. This process is repeated until all the pins are
105       solved and the lock opens.
106
107       Just like an attacker trying to solve HMAC digests can work on one
108       character at a time, a lock pick can work on each pin in isolation. To
109       protect against this, quality locks force all pins to be fixed into
110       place before the cylinder rotation can be attempted, just as secure
111       HMAC verifiers force attackers to guess the entire digest on each
112       attempt.
113

SEE ALSO

115       The String-Compare-ConstantTime github repo
116       <https://github.com/hoytech/String-Compare-ConstantTime>
117
118       Authen::Passphrase has a good section on side-channel cryptanalysis
119       such as it pertains to password storage (mostly, it doesn't).
120
121       The famous TENEX password bug
122       <https://web.archive.org/web/20150913074712/http://www.meadhbh.org/services/passwords>
123
124       Example of a timing bug <http://rdist.root.org/2009/05/28/timing-
125       attack-in-google-keyczar-library/>
126
127       QSCAN <http://hcsw.org/nmap/QSCAN>
128
129       Practical limits of the timing side channel
130       <http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf>
131
132       NaCl: Crypto library designed to prevent side channel attacks
133       <http://nacl.cr.yp.to/>
134

AUTHOR

136       Doug Hoyte, "<doug@hcsw.org>"
137
139       Copyright 2012-2018 Doug Hoyte.
140
141       Contributions from Paul Cochrane.
142
143       This module is licensed under the same terms as perl itself.
144
145
146
147perl v5.28.1                      2018-04-23  String::Compare::ConstantTime(3)
Impressum