Hacker News new | ask | show | jobs
by trebor 4047 days ago
No. A timing attack is used to determine the shared key that creates the HMAC. Because == and === (depending on the language) use memcmp(), the time of the comparison varies. EG:

36D5F4EA999342FED17D7488CB260FC92926 36D5F4EA999342FED18D7488CB260FC92926

The code would compare only up to the difference and return, indicating through the time spent analyzing the HMAC how many characters are the same. The attacker can then work the HMAC like they would a combination lock, till they reproduce the key used.

That's why a constant time comparison is so important: it leaks far less information.
2 comments
sdevlin 4047 days ago
This is a forgery attack, not a key-recovery attack.
link
trebor 4047 days ago
I am not a cryptographer. I don't quite understand the distinction you are drawing with so little information. Care to explain what I misunderstood?
link
sdevlin 4047 days ago
Given a message M and a secret key K, we have:

    MAC(K, M) -> T
To validate a pair (M, T), we verify:

   T = MAC(K, M)
Ideally, the execution time in this verification is independent of T. But many languages use string-comparison algorithms that exit immediately on failure. If Eve can detect this difference with high granularity, she has an oracle telling her how many leading bytes of a guessed tag T' are valid:

    O(M, T') -> n
She can use this to recover the first byte of a valid tag for M:

    for k in [0, 255]:
        if O(M, k || 0000...) > 0:
            return k
She can extend this to recover the second byte, the third, and so on. Eventually, Eve will recover T such that MAC(K, M) = T. In other words, Eve is able to forge an authentication tag T for an arbitrary message M.

What she won't do is recover K. So while she can forge tags for arbitrary messages, each forgery will require a fresh, online interaction with the verifying party. She cannot work backwards from (M, T) to K.

link
sarciszewski 4047 days ago
To put it another way: You (slowly and painstakingly) defeat the authentication without having to brute force, e.g. 2^128, possible keys.

However, the key is still unknown to you. It just doesn't matter, because you can forge messages without it.

link
trebor 4047 days ago
Thank you for the in-depth explanation!
link
jdhawk 4047 days ago
Thanks for the explanation.
link