Closed brinchj closed 11 years ago
This should be done for the other hash functions as well, to avoid timing attacks (see Thomas' comment). If you feel this is too much of a performance hit, I have implementations of constant time eq and less in C-code as well.
I've discussed this privately already with Felipe and Thomas, and I don't agree it that need to be like this. A digest is not necessarily a secret. Only secrets need to be carefully handled like this (which is something that is quite clearly written on the codehale article).
Most of the times i'm actually using a digest, it's actually for the temper_resistant+compression properties; While it could be a secret too, at the moment my preferred approach would be to have a "class Secret a" that could handle any secret value and would be required to have time constant equality function, and no ordering function.
Also while i see that you could need a time constant equality, i can't really think of any usage that would require a time constant ordering function (apart from misusing compare for equality).
When using the C-implementations the speed-down of using constant time ops are small enough, that I wouldn't mind using it in code where the digest isn't secret. Anyway, you could always serialize the digest to get a ByteString and use that, if you do mind the performance penalty.
On the other hand, if you don't do "safe by default", your asking people with no crypto experience to be aware of this. Of course, one could say that this library is simple not for regular programmers.
In that case, I'll wrap it in another library that's safer to use ;)
I'm not certain if it's ever safe to use compare on hashes, but consider an index from hashes to values - the application exists.
Anyway, it should probably be done in C if anywhere: http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
Use constant time operations for Eq and Ord type instances for SHA-family hash values