Re: [RFC] Timing attack safe string comparison function

From:	Joe Watkins	Date:	Mon, 23 Dec 2013 11:16:47 +0000
Subject:	Re: [RFC] Timing attack safe string comparison function
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to internals+get-70860@lists.php.net to get a copy of this message

On 12/23/2013 11:04 AM, Marco Pivetta wrote:
Heya,

I was discussing about this RFC with Joe in Room 11 (where we keep him away
from society, for the greater good).

I was wondering why such an API must be implemented in PHP core (which
means C, which means that the usual 15~20 people can fix it if borked,
which is bad) and cannot be just left in userland as it already happens,
for example, with
https://github.com/zendframework/zf2/blob/master/library/Zend/Crypt/Utils.php#L17-L44and
similar libraries that have some decent security policies themselves
(nothing to say about PHP - you guys are doing great!).

Why do we need this in core?
Why can't a user copy-paste those rows (if it's a monkey-patcher) or just
use a library?

I don't trust PHP coders in general, so I'm pretty sure that the example
I've posted before @ https://gist.github.com/Ocramius/8094168 is quite
obscure to the 99.9% of PHP developers.

Who has been doing it wrong will continue going on and not caring.

Those who are aware of the dangers and do care are most probably already
using these kinds of checks vie an imported library.

So what is pushing towards yet another function in here?

Don't get me wrong: I am all for security, but I don't see a difference
between a php-core implementation and a userland implementation.

Cheers,



Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/


Ok, good wanderings dear Macro ...

We already have it in core, here it is:

291    /* We're using this method instead of == in order to provide
292     * resistence towards timing attacks. This is a constant time
293     * equality check that will always check every byte of both
294     * values. */
295    for (i = 0; i < hash_len; i++) {
296        status |= (ret[i] ^ hash[i]);
297    }

So that puts in perspective the what if it borks argument, and the complication argument too, since the new function and old can share a static inline implementation of the same logic ... do you really want me to explain why static inline c is better than PHP, or is that obvious at this point ??

I would love it if at some point in the future you could point at bits of PHP and say "that's a good implementation", right now the most you can say is "here's some functions implemented to help in this area, and here's all the code and knowledge of PHP you require to make good, sane use of it".

Anyone who doesn't see that, is barking mad, barking, mad ...

Cheers
Joe


   

Thread (40 messages)

• Rouven WeßlingSun, 22 Dec 2013 17:08:09 +0000
  • Andrea FauldsSun, 22 Dec 2013 17:25:48 +0000
    • Rouven WeßlingMon, 23 Dec 2013 09:45:29 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:01:26 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:03:43 +0000
        • Yasuo OhgakiMon, 23 Dec 2013 22:30:36 +0000
          • Jake A. SmithTue, 24 Dec 2013 03:59:57 +0000
            • Thomas HruskaTue, 24 Dec 2013 04:35:15 +0000
              • Yasuo OhgakiTue, 24 Dec 2013 06:37:56 +0000
                • Thomas HruskaTue, 24 Dec 2013 08:28:36 +0000
                • Sara GolemonFri, 27 Dec 2013 13:57:51 +0000
                  • Adam HarveyFri, 27 Dec 2013 18:12:23 +0000
                    • Yasuo OhgakiFri, 27 Dec 2013 21:57:00 +0000
                      • Jake A. SmithSat, 28 Dec 2013 00:02:53 +0000
                        • Yasuo OhgakiSat, 28 Dec 2013 00:39:06 +0000
                          • Andrea FauldsSat, 28 Dec 2013 01:41:10 +0000
                            • Sanford WhitemanSat, 28 Dec 2013 07:31:32 +0000
                            • Rouven WeßlingSun, 19 Jan 2014 22:40:22 +0000
                  • Stas MalyshevFri, 27 Dec 2013 19:44:21 +0000
            • Mateusz KocielskiFri, 27 Dec 2013 09:04:07 +0000
              • Pierre JoyeFri, 27 Dec 2013 09:07:38 +0000
                • Rouven WeßlingFri, 27 Dec 2013 13:55:39 +0000
                  • Sara GolemonFri, 27 Dec 2013 14:03:14 +0000
      • Tjerk MeestersMon, 23 Dec 2013 14:15:06 +0000
  • Yasuo OhgakiSun, 22 Dec 2013 23:55:02 +0000
  • Tjerk MeestersMon, 23 Dec 2013 01:26:05 +0000
  • Joe WatkinsMon, 23 Dec 2013 09:09:06 +0000Re: [RFC] Timing attack safe string comparison function
    • Yasuo OhgakiMon, 23 Dec 2013 09:45:50 +0000Re: Re: [RFC] Timing attack safe string comparison function
  • Stas MalyshevMon, 23 Dec 2013 10:11:39 +0000
    • Joe WatkinsMon, 23 Dec 2013 10:20:46 +0000
    • Rouven WeßlingMon, 23 Dec 2013 10:26:42 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:42:41 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:50:01 +0000
        • Marco PivettaMon, 23 Dec 2013 11:04:10 +0000
          • Joe WatkinsMon, 23 Dec 2013 11:16:47 +0000
            • Joe WatkinsMon, 23 Dec 2013 11:19:25 +0000
            • Marco PivettaMon, 23 Dec 2013 11:25:35 +0000
          • Rouven WeßlingMon, 23 Dec 2013 16:46:14 +0000
            • Joe WatkinsMon, 23 Dec 2013 19:45:58 +0000
• Iwan LuijksFri, 27 Dec 2013 20:15:53 +0000RE: [PHP-DEV] [RFC] Timing attack safe string comparison function