Re: [RFC] Timing attack safe string comparison function

From:	Yasuo Ohgaki	Date:	Tue, 24 Dec 2013 06:37:56 +0000
Subject:	Re: [RFC] Timing attack safe string comparison function
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to internals+get-70871@lists.php.net to get a copy of this message

Hi all,

On Tue, Dec 24, 2013 at 1:35 PM, Thomas Hruska <thruska@cubiclesoft.com>wrote:

> On 12/23/2013 8:59 PM, Jake A. Smith wrote:
>
>> Hi all,
>>
>>  "strcmp_secure()" or something like this would be good, as it could be
>>>
>>
>> used any security sensitive string comparison.
>>
>> I like that. It makes sense for the function to be named for what it
>> does, not how one hopes or expects it will be used.
>>
>> JS
>>
>
> Perhaps this could be implemented by adding an optional parameter to the
> existing str...cmp() series of functions instead of adding more functions.


We may do this.
However, strcmp() returns 0 for equal strings while strcmp_secure() will
return TRUE for equal strings. We could make strcmp_secure() returns
FALSE/0 for equal strings, but it does not make much sense.

Perhaps, we need different function name rather than strcmp_secure().

I would like to have dedicated functions for security related features, so
that more users aware of issues.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (40 messages)

• Rouven WeßlingSun, 22 Dec 2013 17:08:09 +0000
  • Andrea FauldsSun, 22 Dec 2013 17:25:48 +0000
    • Rouven WeßlingMon, 23 Dec 2013 09:45:29 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:01:26 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:03:43 +0000
        • Yasuo OhgakiMon, 23 Dec 2013 22:30:36 +0000
          • Jake A. SmithTue, 24 Dec 2013 03:59:57 +0000
            • Thomas HruskaTue, 24 Dec 2013 04:35:15 +0000
              • Yasuo OhgakiTue, 24 Dec 2013 06:37:56 +0000
                • Thomas HruskaTue, 24 Dec 2013 08:28:36 +0000
                • Sara GolemonFri, 27 Dec 2013 13:57:51 +0000
                  • Adam HarveyFri, 27 Dec 2013 18:12:23 +0000
                    • Yasuo OhgakiFri, 27 Dec 2013 21:57:00 +0000
                      • Jake A. SmithSat, 28 Dec 2013 00:02:53 +0000
                        • Yasuo OhgakiSat, 28 Dec 2013 00:39:06 +0000
                          • Andrea FauldsSat, 28 Dec 2013 01:41:10 +0000
                            • Sanford WhitemanSat, 28 Dec 2013 07:31:32 +0000
                            • Rouven WeßlingSun, 19 Jan 2014 22:40:22 +0000
                  • Stas MalyshevFri, 27 Dec 2013 19:44:21 +0000
            • Mateusz KocielskiFri, 27 Dec 2013 09:04:07 +0000
              • Pierre JoyeFri, 27 Dec 2013 09:07:38 +0000
                • Rouven WeßlingFri, 27 Dec 2013 13:55:39 +0000
                  • Sara GolemonFri, 27 Dec 2013 14:03:14 +0000
      • Tjerk MeestersMon, 23 Dec 2013 14:15:06 +0000
  • Yasuo OhgakiSun, 22 Dec 2013 23:55:02 +0000
  • Tjerk MeestersMon, 23 Dec 2013 01:26:05 +0000
  • Joe WatkinsMon, 23 Dec 2013 09:09:06 +0000Re: [RFC] Timing attack safe string comparison function
    • Yasuo OhgakiMon, 23 Dec 2013 09:45:50 +0000Re: Re: [RFC] Timing attack safe string comparison function
  • Stas MalyshevMon, 23 Dec 2013 10:11:39 +0000
    • Joe WatkinsMon, 23 Dec 2013 10:20:46 +0000
    • Rouven WeßlingMon, 23 Dec 2013 10:26:42 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:42:41 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:50:01 +0000
        • Marco PivettaMon, 23 Dec 2013 11:04:10 +0000
          • Joe WatkinsMon, 23 Dec 2013 11:16:47 +0000
            • Joe WatkinsMon, 23 Dec 2013 11:19:25 +0000
            • Marco PivettaMon, 23 Dec 2013 11:25:35 +0000
          • Rouven WeßlingMon, 23 Dec 2013 16:46:14 +0000
            • Joe WatkinsMon, 23 Dec 2013 19:45:58 +0000
• Iwan LuijksFri, 27 Dec 2013 20:15:53 +0000RE: [PHP-DEV] [RFC] Timing attack safe string comparison function