Message 162855 - Python tracker

Message162855

Author	ncoghlan
Recipients	arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou
Date	2012-06-15.07:41:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1339746101.2.0.168012572077.issue15061@psf.upfronthosting.co.za>
In-reply-to

Content
To repeat, the specific feature being proposed for retention is: * a function called hmac.total_compare() that is clearly documented as being still vulnerable to timing analysis given a sufficiently sophisticated attacker, while still being more resistant to such analysis than the standard comparison operator * restricting that function to operating on bytes, to eliminate timing variations associated with encoding/decoding of Unicode text and reduce those associated with the calculation of integer values Leaking less information on each comparison is intended to increase the effectiveness of higher level timing attack countermeasures (such as rate limiting and lockouts). Anyone that would use "hmac.total_compare" and call it done is likely using ordinary comparison today (which is even worse).

Content

To repeat, the specific feature being proposed for retention is:

* a function called hmac.total_compare() that is clearly documented as being still vulnerable to timing analysis given a sufficiently sophisticated attacker, while still being more resistant to such analysis than the standard comparison operator

* restricting that function to operating on bytes, to eliminate timing variations associated with encoding/decoding of Unicode text and reduce those associated with the calculation of integer values

Leaking less information on each comparison is intended to increase the effectiveness of higher level timing attack countermeasures (such as rate limiting and lockouts). Anyone that would use "hmac.total_compare" and call it done is likely using ordinary comparison today (which is even worse).

History
Date	User	Action	Args
2012-06-15 07:41:41	ncoghlan	set	recipients: + ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, hynek
2012-06-15 07:41:41	ncoghlan	set	messageid: <1339746101.2.0.168012572077.issue15061@psf.upfronthosting.co.za>
2012-06-15 07:41:40	ncoghlan	link	issue15061 messages
2012-06-15 07:41:40	ncoghlan	create