Re: [RFC] Timing attack safe string comparison function

From:	Thomas Hruska	Date:	Tue, 24 Dec 2013 04:35:15 +0000
Subject:	Re: [RFC] Timing attack safe string comparison function
References:	1 2	Groups:	php.internals
Request:	Send a blank email to internals+get-70869@lists.php.net to get a copy of this message

On 12/23/2013 8:59 PM, Jake A. Smith wrote:
Hi all,

"strcmp_secure()" or something like this would be good, as it could be

used any security sensitive string comparison.

I like that. It makes sense for the function to be named for what it does, not how one hopes or expects it will be used.

JS

Perhaps this could be implemented by adding an optional parameter to the existing str...cmp() series of functions instead of adding more functions.

-- 
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you might find useful.

http://cubiclesoft.com/


   

Thread (40 messages)

• Rouven WeßlingSun, 22 Dec 2013 17:08:09 +0000
  • Andrea FauldsSun, 22 Dec 2013 17:25:48 +0000
    • Rouven WeßlingMon, 23 Dec 2013 09:45:29 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:01:26 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:03:43 +0000
        • Yasuo OhgakiMon, 23 Dec 2013 22:30:36 +0000
          • Jake A. SmithTue, 24 Dec 2013 03:59:57 +0000
            • Thomas HruskaTue, 24 Dec 2013 04:35:15 +0000
              • Yasuo OhgakiTue, 24 Dec 2013 06:37:56 +0000
                • Thomas HruskaTue, 24 Dec 2013 08:28:36 +0000
                • Sara GolemonFri, 27 Dec 2013 13:57:51 +0000
                  • Adam HarveyFri, 27 Dec 2013 18:12:23 +0000
                    • Yasuo OhgakiFri, 27 Dec 2013 21:57:00 +0000
                      • Jake A. SmithSat, 28 Dec 2013 00:02:53 +0000
                        • Yasuo OhgakiSat, 28 Dec 2013 00:39:06 +0000
                          • Andrea FauldsSat, 28 Dec 2013 01:41:10 +0000
                            • Sanford WhitemanSat, 28 Dec 2013 07:31:32 +0000
                            • Rouven WeßlingSun, 19 Jan 2014 22:40:22 +0000
                  • Stas MalyshevFri, 27 Dec 2013 19:44:21 +0000
            • Mateusz KocielskiFri, 27 Dec 2013 09:04:07 +0000
              • Pierre JoyeFri, 27 Dec 2013 09:07:38 +0000
                • Rouven WeßlingFri, 27 Dec 2013 13:55:39 +0000
                  • Sara GolemonFri, 27 Dec 2013 14:03:14 +0000
      • Tjerk MeestersMon, 23 Dec 2013 14:15:06 +0000
  • Yasuo OhgakiSun, 22 Dec 2013 23:55:02 +0000
  • Tjerk MeestersMon, 23 Dec 2013 01:26:05 +0000
  • Joe WatkinsMon, 23 Dec 2013 09:09:06 +0000Re: [RFC] Timing attack safe string comparison function
    • Yasuo OhgakiMon, 23 Dec 2013 09:45:50 +0000Re: Re: [RFC] Timing attack safe string comparison function
  • Stas MalyshevMon, 23 Dec 2013 10:11:39 +0000
    • Joe WatkinsMon, 23 Dec 2013 10:20:46 +0000
    • Rouven WeßlingMon, 23 Dec 2013 10:26:42 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:42:41 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:50:01 +0000
        • Marco PivettaMon, 23 Dec 2013 11:04:10 +0000
          • Joe WatkinsMon, 23 Dec 2013 11:16:47 +0000
            • Joe WatkinsMon, 23 Dec 2013 11:19:25 +0000
            • Marco PivettaMon, 23 Dec 2013 11:25:35 +0000
          • Rouven WeßlingMon, 23 Dec 2013 16:46:14 +0000
            • Joe WatkinsMon, 23 Dec 2013 19:45:58 +0000
• Iwan LuijksFri, 27 Dec 2013 20:15:53 +0000RE: [PHP-DEV] [RFC] Timing attack safe string comparison function