Questions tagged [timing-attack]

32 questions

votes

4 answers

Could a random sleep prevent timing attacks?

From Wikipedia In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Actually, to prevent timing attacks, I'm…

asked Feb 08 '15 at 15:23

DrKey

3,365
2
29
46

votes

1 answer

Why is order of arguments in PHP's hash_equals() function important?

PHP 5.6 introduced hash_equals() function for safe comparison of password hashes and prevention of timing attacks. Its signature is: bool hash_equals(string $known_string, string $user_string) As described in the documentation, $known_string and…

php c security php-internals timing-attack

asked Jan 12 '15 at 22:08

Alex Shesterov

26,085
12
82
103

votes

1 answer

Timing attack with PHP

I'm trying to produce a timing attack in PHP and am using PHP 7.1 with the following script:

php timing-attack

asked Jan 14 '18 at 19:25

exussum

18,275
8
32
65

votes

2 answers

MessageDigest.isEqual function use in Java

I have two question that I don't understand. Please help me take a look.Thanks. What is the use of MessageDigest.isEqual function in Java? Explain why, in some versions prior to Java SE 6 Update 17, it was vulnerable to a timing attack.

java timing-attack

asked Nov 10 '15 at 09:07

user5545809

votes

1 answer

Does this prefetch256() function offer any protection against cache timing attacks on AES?

This is a borderline topic. Since I wanted to know about programming, CPU cache memory, reading CPU cache lines etc, I'm posting it here. I was implementing AES algorithm in C/C++. Since performing GF(28) multiplications are computationally…

c cpu-architecture volatile cpu-cache timing-attack

asked May 09 '20 at 16:13

Vivekanand V

votes

1 answer

String prediction through comparisons

Today I woke up and thought if it would be possible to predict Strings only analyzing the time between each comparison. I create a rudimentary class (I know that it is not the best alghorithm, but it works for me) to try prove this, and the answer…

java security timing-attack

asked May 13 '15 at 09:06

juanhl

1,170
2
11
16

votes

2 answers

Main techniques for preventing timing attacks

I am not very familiar with security stuff, but have encountered this constant time function to prevent timing attacks: // shortcutting on type is necessary for correctness if (!Buffer.isBuffer(a) || !Buffer.isBuffer(b)) { return false; } //…

javascript security timing-attack

asked Dec 10 '17 at 21:42

Lance

75,200
93
289
503

votes

0 answers

Cache timing on ARM processor

i need to implement AES algorithm on a smartphone with ARM Cortex A-15 processor(Samsung Galaxy Note 3, etc) and need to observe and save cache timings for each process, round. How do I go about it? To be precise, I need to observe time taken by the…

android arm aes cortex-a timing-attack

asked Jun 20 '16 at 17:27

Tashi

votes

1 answer

Compare 2 secrets in constant time using Windows crypto API

Using the Windows cryptography API, how do I compare two byte arrays for equality in constant time? Edit: The length of the secret is fixed and is public knowledge.

windows cryptography cng timing-attack

asked Dec 19 '15 at 01:28

Demi

3,535
5
29
45

votes

1 answer

Comparing two byte arrays guarding against timing attacks

I want to write a method to compare two byte arrays, but I do not want to use these solutions because I want the method to be resistant to timing attacks. My method essentially looks like: static bool AreEqual(byte[] a1, byte[] a2) { bool…

c# .net arrays jit timing-attack

asked Apr 25 '15 at 17:15

Daniel Trebbien

38,421
18
121
193

votes

2 answers

Prevent django send_mail timimg attack

I have different REST-API views where I either send a mail (if an account exists) or do not send a mail. For example, the user can input the email in the forgot-password form and a mail is sent if the account exists. I am using from django.core.mail…

django django-rest-framework timing-attack

asked Aug 19 '21 at 08:37

ddjjaannggoo

votes

2 answers

Should I use == for string comparison?

sorry if this is a weird question. I was actually curious about timing attacks, so I have done a little research and understood the concept. I understood that, code like: if token == password: print('Welcome') else: print('Wrong…

python-3.x timing-attack

asked May 11 '21 at 15:11

nltc

votes

0 answers

Is it necessary to worry about timing attacks when comparing SHA256 or Argon2 hashes?

I have implemented Argon2 hashing algorithm for password hashing. I am worry about my code, it may vulnerable to timing attack. public static boolean login(String mailId, String password) { List userList = findByMailId(mailId); if…

java owasp argon2-ffi timing-attack

asked Jan 15 '19 at 08:02

Victory

1,184
2
11
30

votes

1 answer

PHP double randomised hmac verification to prevent timing attack

A way to prevent timing attacks for hash string comparison is to perform additional HMAC signing in order to randomize the verification process (see…

php security hash hmac timing-attack

asked Oct 25 '15 at 14:12

az2014

vote

0 answers

Reproduce a Timing Attack with Node.js

I'm trying to recreate a Timing Attack with Node.js for training purpose. I think I'm doing something wrong, because I was expecting other results. I've created a simple and basic Node app: const express = require('express'); const app =…

node.js express curl timing-attack

asked Feb 14 '23 at 16:16

KeeperOfTheSevenKeys

2 3 Next