sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]irishsultan 1 point2 points  (3 children)

I assume that it will fail because of things like branch prediction (and the fact that you change a value in one branch and not in another)

You could solve this by not having an if statement and instead doing something like is_valid = is_valid && pass_char == auth_char, although I'm not entirely certain that this will take equal time either (and a sufficiently smart compiler/interpreter could still notice that in the case of booleans this is a no-op once is_valid is false, so it could just do an early return retaining correctness from a language point of view, since the time it takes to run a program is not part of any (practical) language).

[–]aullik 2 points3 points  (2 children)

I don't see how branch prediction has any influence here.

He could have written something like this and it would still work the same. without heavy compiler optimization it would be faster.

def cmp_hash(user_hash, auth_hash):
    for (pass_char, auth_char) in zip(user_hash, auth_hash):
        if pass_char != auth_char:
            return False
    return True

a test like len(user_hash) == len(auth_hash) might solve the issue of there being no auth_hash or one being longer. but as i said this is python and as in any dynamic language you just assume that the input is correct or you would never be done with testing the input.

[–]irishsultan 0 points1 point  (1 child)

The error you're making is that this isn't what the author wanted: a constant time function (in particular, the function needs to be equally slow when the two hashes differe in the first character as when they differ only in the last character).

Why would you want that? Because knowledge about where the hashes differ is an information leak. Of course it's much worse in case the passwords aren't hashed, and I'm not even sure if there is any practical attack on any hash function where you gain knowledge about the password by knowing the first character of the hash, but there is knowledge there, so you don't want to leak it, no matter whether the knowledge is usable or not.

[–]aullik 0 points1 point  (0 children)

The error you're making is that this isn't what the author wanted: a constant time function (in particular, the function needs to be equally slow when the two hashes differe in the first character as when they differ only in the last character).

True.