hmac.secure_compare() leaks information about length of strings

[tiran]

BPO	15061
Nosy	@loewis, @birkenfeld, @gpshead, @ncoghlan, @pitrou, @tiran, @alex, @akheron, @hynek, @serhiy-storchaka
Files	secure_compare_length.patch timingsafe.h timingsafe_cmp.patch timingsafe_cmp-2.patch compare_digest_c.patch compare_digest_c-2.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2012-06-24.13:12:05.157>
created_at = <Date 2012-06-13.23:00:23.931>
labels = ['type-security', 'library']
title = 'hmac.secure_compare() leaks information about length of strings'
updated_at = <Date 2012-06-24.13:12:05.156>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2012-06-24.13:12:05.156>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2012-06-24.13:12:05.157>
closer = 'christian.heimes'
components = ['Library (Lib)']
creation = <Date 2012-06-13.23:00:23.931>
creator = 'christian.heimes'
dependencies = []
files = ['26003', '26068', '26079', '26106', '26112', '26120']
hgrepos = []
issue_num = 15061
keywords = ['patch', 'needs review']
message_count = 96.0
messages = ['162739', '162758', '162759', '162760', '162761', '162762', '162763', '162764', '162765', '162766', '162767', '162768', '162769', '162770', '162773', '162775', '162777', '162778', '162838', '162845', '162846', '162847', '162848', '162850', '162852', '162853', '162855', '162856', '162857', '162858', '162859', '162860', '162861', '162862', '162863', '162864', '162865', '162866', '162867', '162868', '162871', '162872', '162873', '162875', '162877', '162880', '162882', '162885', '162888', '162891', '162892', '162893', '162895', '162899', '162914', '162949', '162950', '163159', '163163', '163168', '163170', '163186', '163188', '163192', '163193', '163196', '163204', '163329', '163333', '163343', '163347', '163365', '163366', '163368', '163371', '163377', '163378', '163385', '163390', '163468', '163469', '163613', '163614', '163615', '163617', '163619', '163623', '163625', '163626', '163627', '163630', '163652', '163671', '163696', '163780', '163784']
nosy_count = 13.0
nosy_names = ['loewis', 'georg.brandl', 'gregory.p.smith', 'ncoghlan', 'pitrou', 'christian.heimes', 'alex', 'fijall', 'python-dev', 'petri.lehtinen', 'hynek', 'serhiy.storchaka', 'Jon.Oberheide']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue15061'
versions = ['Python 3.3']

[tiran]

The secure_compare() function immediately returns False when both strings don't have equal length. With the patch the run time of secure_compare() always depends on the length of the right side. It no longer gives away information about the length of the left side.

The patch should be applied in combination with the patch in issue bpo-14955.

[fijall]

secure_compare leaks the password always. Note that it takes different time to create a result of ord() depending whether it's <=100 or > 100 due to caching of small numbers. Such functions should be written in C.

[hynek]

We should. Adding secure functions that aren't really secure is something we should rather avoid. :)

Christian, are you willing to do that?

[arigo]

fijal: while I agree with you, the limit for small ints has actually been pushed to 257 in recent CPythons. So it should still theoretically work --- of course, assuming a predictable CPU, which is wrong, and assuming a simple interpreter. (We can probably dig enough to find a timing issue even with CPython, and of course it's clear with any of the other Python interpreters out there.)

[tiran]

I don't see how the function is going to leak this information when both this patch and the patch in bpo-14955 are applied. With http://bugs.python.org/file25801/secure-compare-fix-v2.patch ord() is no longer used and thus avoid the timing difference for integers > 256 (NSMALLPOSINTS is defined as 257, not 100).

[fijall]

Ah unicodes. is encode('unicode-internal') independent on the string characters? I heavily doubt so. you leak at least some information through that function alone.

[pitrou]

With PEP-393 unicode objects can have several representations, which makes it unlikely that *really* constant-timing functions can be devised.

Speaking about this particular patch, I don't understand the point. secure_compare() is obviously meant to be used on inputs of some known length, not arbitrary data.

[tiran]

IMHO it's not obvious to all users. Better safe than sorry. ;)

The invariant 'known and equal length' impresses an artificial limitation. Code may need to compare outside data with internal data without exposing too many details about the structure of the internal data.

The other matter should be discussed at bpo-14955.