[wolfwyrd]

This is a timing attack or timing oracle. Lets assume a mac represented in an array of 32 bytes. If we had a pseudocode method like:

    byte [32] (actualMac, expectedMac)
    for int x = 0..31
        if (actualMac[x] != expectedMac[x])
            return false;
        fi
    end
    return true;

We return false as soon as we hit an invalid byte in our calculated mac. If the time taken to execute one iteration of the loop is Y and the attacker is able to time this method accurately they will be able to tell what the value of actualMac is by feeding known inputs. They will know because the return time will be 2Y when they have bailed after the first byte. 3Y after the second, 4Y after the third etc.

This is why we should check the arrays in constant time - compare every byte in both arrays before returning. We do not return early so we can’t leak information

[hellfish]

> in constant time

why is it called constant time if it isn't constant with respect to array length? Just seems confusing because the algorithm is linear without a short circuit

[namkt]

It's constant time in that it always takes the same amount of time regardless of the extent to which the two strings are equal. It is a different concept than constant time in complexity analysis.

What's even more confusing is that it is also constant time in the complexity analysis sense given that the mac is usually a fixed-size string after choosing a hashing algorithm.

[fweimer]

Isn't it sufficient to compare 64 bits at a time? Then the oracle becomes rather useless.

Many current memcmp implementations use such large comparisons because they avoid hard-to-predict data-dependent branches for extracting the specific point of mismatch.

[TylerE]

Don’t really buy it. Seems to be both “spherical cow optimistic assumptions” and “anyone who could seriously think about pulling this off has nation-state level resources and already 0wnz you and/or already has the rubber hose at hand"

[kapp_in_life]

Not really. It doesn't rely on that big of an assumption, nor does it require nation state resources[0]. When you're trying to find the secret you can make a bunch of requests and measure for statistically significant change, which can still be detectable beyond jitter & web server load.

Also ignoring the fact that calling constant_strcompare(string, string) instead of strcompare(string, string) when working with secrets isn't that big of an ask.

[0] https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

[WhiteBlueSkies]

If you could measure the time granularly as a client requesting some resource on the server how exactly would you know the time corresponds to the comparison and not to some tangential task?