Open MaxXor opened 8 years ago
You could use task lists to keep track of what's done, and what's not. Also, the 3rd one should be: "Store derived keys in client instead of password"
Thanks, done.
It would be better to perform double HMAC verification istead of simple More info: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
@GoltikRee To have a secure HMAC comparison, either you do a constant-time one, which is already done.
Or, you can do what you said here, that is, compare something that the attacker doesn't know, so, do a HMAC of the HMAC, and compare that.
So, here it's already safe, because optimisations are disabled for this function, and it takes a constant time.
What you said should indeed be implemented, thanks, because here, it's not assembly, so, you can't make it take constant-time, reliably. Or, this function should be implemented in assembly, and make sure that it takes the same amount of cycles.
@GoltikRee @TheNain38 Timing attacks are fixed due to this attribute: https://github.com/quasar/QuasarRAT/blob/master/Server/Core/Helper/CryptographyHelper.cs#L17 Even for the .NET JIT compiler, see here: https://msdn.microsoft.com/en-us/library/system.runtime.compilerservices.methodimploptions(v=vs.110).aspx
@MaxXor Right... i forgot that (I'm not working with C# that much, I mean, never)
Hi @MaxXor ,
But, I've searched (couple of time) for replay-attacks and found that the best way to prevent it by using time-stamp (one-time session token) and make the client/server => send/hash it and it will be checked on both sides also we have to make sure it expires after sometime (maybe 1 min or less) and regenerate new one.
So I want to know your opinion about that and it will be nice if you could implement a fix for replay-attack.
Cryptography Todo (see discussion here: #450):