search

djeraseit / passlib

Automatically exported from code.google.com/p/passlib
Other
0 stars 0 forks source link

use constant time equality function when comparing hashes #18

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Many frameworks seem to be adopting 'constant time' equality functions when 
comparing hashes. 

This seems to stem from a warning about 
[http://codahale.com/a-lesson-in-timing-attacks/ hmac timing attacks]. Such 
attacks aren't relevant for most password hash use-cases, but it's being 
adopted nevertheless since the cost is minimal, and the security increase is 
small but non-zero (as well laid out in this 
[https://code.djangoproject.com/ticket/15627 Django issue]). 

Should probably throw this into the next major passlib release.

Original issue reported on code.google.com by elic@astllc.org on 11 Aug 2011 at 2:11

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
This has been added to the default branch as of racbdef8c4726, and will be 
included in 1.6.

Original comment by elic@astllc.org on 1 Dec 2011 at 10:45

GoogleCodeExporter commented 9 years ago 
Added in Passlib 1.6 release; verified consteq() via dis module, all branches 
should take exactly same amount of time.

Original comment by elic@astllc.org on 1 May 2012 at 9:00