search

named-data-iot / ndn-lite

A lightweight NDN protocol stack with high-level application support including security bootstrapping, access control, trust management, etc.
https://ndn-lite.named-data.net
GNU Lesser General Public License v3.0
44 stars 16 forks source link

security: timing attack vulnerability in ndn_hmac_verify #4

Closed yoursunny closed 5 years ago

yoursunny commented 5 years ago

ndn_hmac_verify and ndn_sha256_verify and sign_on_basic_nrf_crypto_vrfy_hmac_sha256_sig functions verify HMAC or SHA256 signature. Each function first creates a correct HMAC or SHA256 signature over the input, then compares the incoming signature with that correct signature. The comparison step is coded as:

  if (memcmp(input_hmac, sig_value, sizeof(input_hmac)) != 0)
    return NDN_SEC_FAIL_VERIFY_SIG;
  else
    return NDN_SUCCESS;

This invokes memcmp, which returns as soon as finding the first different element. As a result, these functions are vulnerable to timing attacks because the execution time of these function leaks the information about which is the first byte that differs from the correct signature.

To fix this bug, use a constant-time comparison function.

Zhiyi-Zhang commented 5 years ago

We will abandon sign_on_basic_nrf_crypto_vrfy_hmac_sha256_sig and other security impl under ./app-support/bootstrapping soon. Commit 2eabccc fixed the issue in ndn_hmac_verify and ndn_sha256_verify.