HMAC Verification does not use a constant time algorithm

justinpaulson / google-api-python-client

Automatically exported from code.google.com/p/google-api-python-client

Other

0 stars 0 forks source link

HMAC Verification does not use a constant time algorithm #204

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

Using a non-constant comparison algorithm may allow an attacker to determine 
when a forged hmac is partially correct.  With repetition an attacker may be 
able to forge a full hmac value.  

References:
https://code.djangoproject.com/ticket/14445
http://weblog.rubyonrails.org/2009/9/3/timing-weakness-in-ruby-on-rails/
http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/

Original issue reported on code.google.com by ptoomey@google.com on 8 Oct 2012 at 5:25

GoogleCodeExporter commented 8 years ago

Original comment by jcgregorio@google.com on 8 Oct 2012 at 5:55

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

Committed at 
http://code.google.com/p/google-api-python-client/source/detail?r=4a7cfa4691a1b2
82f72c4ff488d8ae6508af8648

Original comment by jcgregorio@google.com on 8 Oct 2012 at 5:55