secured digest comparison against remote timing attacks using symfonys

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication

http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

137 stars 59 forks source link

secured digest comparison against remote timing attacks using symfonys #71

Closed data219 closed 8 years ago

data219 commented 9 years ago

string utils

djoos commented 8 years ago

Hi @data219,

would you mind giving some more background to this PR? I'll close it for now, but please do not hesitate to add some comments so we can revisit it.

Thanks in advance! David

data219 commented 8 years ago

Hi @djoos, this prevents remote timing attacks (https://en.wikipedia.org/wiki/Timing_attack) by using the symfony string utils (StringUtils::equals()) to compare expected and actual digest (See line 137, Security/Core/Authentication/Provider/Provider.php) . Symfony string utils implement a string comparison with fixed runtime.

djoos commented 8 years ago

Thanks for the additional info @data219, ok: I'm going to add this in shortly (I'll reference this thread)...

djoos commented 8 years ago

FYI: in the meantime StringUtils has been deprecated in favor of hash_equals (>= PHP 5.6). I'll fix the failed Travis tests in master now.