Bug #71317 for Authen-Passphrase: Module susceptible to timing attacks

Wed Sep 28 13:53:03 2011 ccurtis0 [...] gmail.com - Ticket created

Subject:	Module susceptible to timing attacks
Date:	Wed, 28 Sep 2011 13:52:53 -0400
To:	bug-Authen-Passphrase [...] rt.cpan.org
From:	Christopher Curtis <ccurtis0 [...] gmail.com>

Hello, I installed Authen::Passphrase version 0.007-1 (Ubuntu) and looked at the source file for the BlowfishCrypt.pm module. The match routine uses an 'eq' comparison to determine equality. If I understand correctly, that means that this module may be susceptible to timing attacks. More details are available here: http://codahale.com/a-lesson-in-timing-attacks/ Many of the other modules also appear to suffer this problem. Thanks, Chris

Wed Sep 28 14:18:13 2011 zefram [...] fysh.org - Correspondence added

Subject:	Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date:	Wed, 28 Sep 2011 19:18:00 +0100
To:	Christopher Curtis via RT <bug-Authen-Passphrase [...] rt.cpan.org>
From:	Zefram <zefram [...] fysh.org>

Christopher Curtis via RT wrote: Show quoted text

>that means that this module may be susceptible to timing >attacks.

Indeed it is, though the impact of the timing attack there is very limited. At most it allows an attacker to determine the target hash, which he still has to reverse to produce an acceptable passphrase. But the hash isn't easy to extract, being obscured by the salting. I'd be a lot more concerned by the underlying cryptographic algorithms, implemented in a bunch of modules from diverse authors, most of which can be expected to be susceptible to timing and other side-channel attacks. S-box lookup, a very popular primitive, turns out to be susceptible to timing attacks based on cache behaviour, for a start. Perl as a whole, of course, has not been built as a platform for side-channel-resistant crypto. In any serious use of Perl for crypto, therefore, timing should be somewhat obscured, and you should not expect to defeat attackers who can monitor your power consumption very finely. Attacking the crypto algorithms under Authen-Passphrase could reveal the salt being used, which would be a big help in extracting the target hash by means of your original suggestion. But, as I noted, the attacker then still has to actually reverse the hash. These side-channel attacks are a much bigger worry in encryption situations, where a successful attack can directly reveal data being encrypted, or a key being relied upon for secrecy. If I were you I'd see that as a higher priority. I don't think I can seriously harden Authen-Passphrase against side-channel attacks. It's just not intended for use in situations where side-channel attacks are feasible. I can, however, put a note in the documentation to this effect. -zefram

Wed Sep 28 14:18:14 2011 The RT System itself - Status changed from 'new' to 'open'

Wed Sep 28 15:57:50 2011 ccurtis0 [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date:	Wed, 28 Sep 2011 15:57:42 -0400
To:	bug-Authen-Passphrase [...] rt.cpan.org
From:	Christopher Curtis <ccurtis0 [...] gmail.com>

Zefram via RT wrote : Show quoted text

> I'd be a lot more concerned by the underlying cryptographic algorithms, > implemented in a bunch of modules from diverse authors, most of which can > be expected to be susceptible to timing and other side-channel attacks.

I'm not concerned about most side-channel attacks; timing attacks are accessible over the network (especially, I would suspect, from a module called 'Authentication'), while the others tend to require much greater proximity. I agree that the problem presents something of a challenge. And I think we could both agree that different implementations would have different levels of susceptibility. I was thinking perhaps the test suite could check a large set of passphrases and measure if there are timing differences between individual match() calls, failing the test for that module if any match's time varied "too much" from another's. As it turns out, my application can't use the match() function so I'm manually comparing the as_crypt() output. For this reason I think adding a note in the documentation would definitely be good. Chris

Wed Sep 28 16:05:20 2011 zefram [...] fysh.org - Correspondence added

Subject:	Re: [rt.cpan.org #71317] Module susceptible to timing attacks
Date:	Wed, 28 Sep 2011 21:05:09 +0100
To:	Christopher Curtis via RT <bug-Authen-Passphrase [...] rt.cpan.org>
From:	Zefram <zefram [...] fysh.org>

Christopher Curtis via RT wrote: Show quoted text

>I'm not concerned about most side-channel attacks; timing attacks are >accessible over the network

Yes, but there's naturally quite a bit of fuzzing applied in network situations. I doubt you could detect how far through the string the eq went. I think you'd need at least page faults to get a detectable timing difference. The only timing attack that I think is totally feasible over the network is to determine which hash algorithm is being used. You may well be able to tell the difference between existing and non-existing accounts that way, if you're guessing usernames. Hardening the individual algorithms doesn't fix that one. Show quoted text

>timing differences between individual match() calls, failing the test >for that module if any match's time varied "too much" from another's.

Automated timing tests are not feasible, because timing naturally varies quite a lot, which would produce a lot of false failures. I'm the current maintainer for Time::HiRes, which really *needs* timing tests, and I get a lot of failure reports from the CPAN Testers (or I did until they broke recently). I'm trying to make Time::HiRes's test suite a lot more forgiving on timing. -zefram

Sat Feb 04 09:08:29 2012 ZEFRAM [...] cpan.org - Correspondence added

Doc note added in Authen-Passphrase-0.008.

Sat Feb 04 09:08:31 2012 ZEFRAM [...] cpan.org - Status changed from 'open' to 'resolved'