RustCrypto / PAKEs

Password-Authenticated Key Agreement protocols
105 stars 34 forks source link

SRP: Use constant time comparisons of secrets #19

Open jpgoldberg opened 5 years ago

jpgoldberg commented 5 years ago

In srp/src/server.rs for example, we see

if user_proof == d.result().as_slice() {

where the types are byte slices, &[u8]. I suspect that the same kind of thing appears throughout the code (although I haven't checked).

That will result in a non-constant time comparison, and expose this to timing attacks.

I am new to Rust, so take my suggestion with a large grain of salt. It seems that if we create a trait for secrets and then implement comparison tests for that trait with constant time checks, we could use Rust's type system to enforce that we always have constant time comparisons.

jpgoldberg commented 5 years ago

Ah. I didn't see that the readme explicitly says this doesn't do constant time comparisons.

jpgoldberg commented 5 years ago

And so closing.

newpavlov commented 5 years ago

I will reopen this issue, as it's quite easy to fix by using subtle as we do in other crates.

warner commented 5 years ago

There's no strong reason to not use a constant-time comparison, but:

I think PAKEs in general are safer against timing attacks because all the secrets tend to be single-use.

jbis9051 commented 2 years ago

https://github.com/RustCrypto/PAKEs/pull/79 adds timing safe comparisons for client and server proof verification. It does not fix the other timing safe issues described by @warner due to the complexity. Although I agree, I don't think a timing attack is actually feasible for the reasons @warner mentioned.