|
|
|
|
|
|
by some_furry
1374 days ago
|
|
|
We don't consider "leaks the length of a SHA256 hash" to be a valid timing attack in most protocols for similar reasons (i.e. it's public knowledge). When developers encounter timing attacks in their code, they often invent really dumb ways to side-step the length "leaking". This might be understandable if it was a MAC then Encrypt protocol with PKCS padding (hello lucky13), but instead this comes up in the context of "validate this HMAC-SHA256 tag for our JWT-like protocol". |
|
|