Varbin
commented
8 months ago This is to prevent timing attacks. The == operatore compares byte by byte. It "stops" as soon as the first byte mismatches. In a typical scenario (e.g. a server validates incoming GCM messages) where an attacker who tries to spoof messages, could measure how much bytes of the MAC of the spoofed message they 'guessed' correctly.
The blake2 hash randomizes - 'blinds' - the comparison, so repeated measurements does not leak any information about the MAC tag.
An alternative to blinding would be hmac.compare_digest.
https://github.com/Legrandin/pycryptodome/blob/master/lib/Crypto/Cipher/_mode_gcm.py#L478-L508
I was reviewing the
verifymethod for my use case (wanted to return bothself._compute_mac()in the case of a mismatch, instead of the currentraise ValueError("MAC check failed")), and wondering why it is not just a simple comparison ofself._compute_mac() == received_mac_tag?