[amluto]

That's not how I read it at all. The author is saying that non-password tokens can be vulnerable if you don't treat them the same way you'd treat passwords and is essentially suggesting that they be split into username-like and password-like fields.

There's another unrelated solution to the problem: make the tokens be AEAD [1] output from a scheme with a global (perhaps rotated) secret or signed output from an asymmetric cryptosystem. Then you're protected by the usual AEAD or digital signature guarantees as long as you properly verify the token before doing something silly like looking up the ciphertext in a database.

[1] Strictly speaking, encryption may be unnecessary depending on what's in the token.

[tbrowbdidnso]

If you want to avoid timing attacks on the username and pw isn't the easiest way to just hash them as if they're both passwords? (at least on initial login). Since the hashes are cryptographically secure you can't infer any timing information from incorrect guesses

[CiPHPerCoder]

We aren't interested in timing attacks on username+password, we're interested in timing attacks on authentication schemes that only involve one string (i.e. ONLY a token).

Simply hashing it before a lookup may be sufficient.

However, it's actually easier to reason about separating the search operating (which leaks timing information unavoidably) from the validation operation (which shouldn't leak timing information if we can avoid it) than relying on a hash function to blind the operation completely.

[foo101]

Can you explain in what way is it easier to reason about separating the search operation from the validation operation?

I can argue that it is easier to reason about simply hashing and then looking up because once hashed, the lookup does not leak any timing information, whereas in your solution the lookup does leak timing information.

Can you refute my argument?

[CiPHPerCoder]

Hashing is deterministic.

If you give the system m, you can probably deduce H(m). If you can send candidates m, m', m'', etc. and compare the timing information of H(m), H(m'), H(m''), etc. you can learn some information about the hash being stored.

This still probably isn't exploitable (you'd need a practical preimage attack, at a minimum), but you're still leaking some knowledge from the timing leak of the comparison of the candidate hash with the stored hash.

With a split token approach, the verifier is totally unknown to the attacker. You can generate a valid selector from observing timing observations... and that's it. Game over. Find another way in the system.

If you have a 128-bit random string as your inputs, this will probably never be guessed.

It's easier to reason about the security consequences of no leak versus a minor, probably impractical leak.

[tbrowbdidnso]

You can mix the hash with a salt that the attacker doesn't and cannot ever know. This is pretty standard and prevents the leak of timing from revealing anything about the hash. The only time this fails is if your hash function is broken, and if that's the case you've got much bigger problems

[earthrise]

The salt would need to be kept secret so it shouldn't be called a salt, it should be called a key. The benefit of Scott's solution compared to this is that you don't need to deal with all the usability problems associated with keeping something secret (where should it be stored on the server? how should it be backed up? how often should it be changed? etc.)

[CiPHPerCoder]

Hash it how, exactly? H(s || m)? HMAC(m, s)?

> The only time this fails is if your hash function is broken, and if that's the case you've got much bigger problems

Or if your salt is leaked.

A salt, by definition, is not a cryptographic secret. That's why they're stored (in plaintext) as part of the hash in every password hashing algorithm.

It sounds like you're advocating for an additional HMAC instead, with a secret key used to authenticate these messages instead of a salt. Which is fine.

But to call split tokens convoluted, then turn around and propose salted hashing the entire thing and still not solving the existence of the timing leak? I find this hypocritical, and oddly reminiscent of people who think it's fine to escape-and-concatenate to solve SQL injection when we've had prepared statements available for over a decade.