Inklings: a tumblelog

Timing attack in Google Keyczar library

Since the return value is a SHA-1 hash string, the operation devolves to a byte-by-byte compare against sig_bytes. In both Python and Java, this is a classic sequence comparison that terminates early once an incorrect match is found. This allows an attacker to iteratively try various HMAC values and see how long it takes the server to respond. The longer it takes, the more characters he has correct.

It may be non-intuitive, but the symmetric nature of MACs means the correct MAC value for an arbitrary message is a secret on-par with key material. If the attacker knows the correct MAC for a message of his choosing, he can then send that value to forge authentication of the message to the server.

Completely non-intuitive, but it also makes complete sense to check for, even outside of MACs; there’s plenty of places I can think of in my code where there may be time-sensitive string comparisons. Audit ahoy!