Highest Voted 'timing-attack' Questions

1

vote

1 answer

Are there other C standard library functions like memcmp that have timing side-channel risk?

I found that memcmp() will return false earlier if the first byte is different in both strings, and I thought it has a timing attack risk. However, when I tried to find out if there were other functions that had side-channel risks like memcmp, I…

asked Jul 08 '22 at 03:38

zhxf7481

11
1

1

vote

1 answer

Fixing a timing attack

I use this code to login a user. The password is encrypted with bcrypt and the SALT_ROUNDS is the same for every user const user = await User.findOne({email: args.email}); if (!user || !await user.comparePassword(args.password)) throw new…

javascript bcrypt timing-attack

asked Jun 06 '21 at 01:21

riggedCoinflip

435
4
16

1

vote

1 answer

Is checking the existence of an objects key considered timing safe?

So, I'm authing a pretty short list of users for a mostly private server, and the login data for these users in stored in an object. The object is structured like {"username":"hash"}. I'd like to know if using something like if(users[username)…

javascript cryptojs timing-attack

asked Mar 21 '21 at 08:56

Werlious

583
6
15

1

vote

1 answer

Function to count time with precision less than a millisecond

I have a function here that can make program count, wait etc with least count of 1 millisecond. But i was wondering if i can do same will lower precision. I have read other answers but they are mostly about changing to linux or sleep is guesstimate…

c++ timing-attack

asked Jul 10 '17 at 09:57

monster

808
10
23

1

vote

3 answers

Reducing an integer to 1 if it is not equal to 0

I'm trying to solve a timing leak by removing an if statement in my code but because of c++'s interpretation of integer inputs in if statements I am stuck. Note that I assume the compiler does create a conditional branch, which results in timing…

c++ c if-statement timing-attack

asked Mar 19 '17 at 13:33

Kasper

53
7

0

votes

1 answer

How can I understand whether my C code is constant time or not?

I have a code for polynomial multiplication and it is written in C. I heard that whether a particular instruction is "constant time" can vary by architecture and by processor model and there isn't any official documentation for this behavior. How…

c timing-attack

asked Dec 13 '21 at 14:26

esra

201
2
8

0

votes

1 answer

nodejs: timing attack on "=="

Recently I came past this write up of a CTF on hackerone. In this writeup part of completing the challenge was to perform a timing attack. It spiked my interest and I wanted to create a webite that would be prone to a timing attack. To do this I…

node.js ctf timing-attack

asked Oct 16 '21 at 19:31

Mr Krisey

109
2
10

0

votes

0 answers

Cannot detect any meaningful timing difference in PHP (constant timing attack)

There's quite a few articles around PHP stating that constant timing attacks are possible when doing direct string comparisons. I've written some sample code to try and determine the order of magnitude difference but it's showing that it's not…

php security constant-time timing-attack

asked Feb 11 '21 at 12:35

Adrian

323
2
5
17

0

votes

1 answer

Split token for PHP login - timing attack

I am creating a PHP login system. User will receive email with a onetime link to the website where the one-time link is gonna be checked and token provided as a cookie/session. My question is how to split the token and/or onetime link to prevent…

php sql authentication cryptography timing-attack

asked Nov 23 '20 at 14:10

stefan999

51
5

0

votes

1 answer

PHP constant-time realpath()?

I'm looking for a constant-time implementation of realpath() , does one exist? I'm in a situation where a malicious actor may control the argument for realpath(), and could theoretically use a timing attack to deduce if realpath() pointed to a real…

php timing realpath timing-attack

asked Oct 28 '19 at 07:14

hanshenrik

19,904
4
43
89

0

votes

1 answer

Force PHP to run all if conditions

I am building an application that is sensitive to timing attacks. I was thinking of instead of making an "if tree" where you nest if statement, just run all of the if statements, and then check all of the conditions at the end, like so: if…

php if-statement timing-attack

asked Aug 25 '19 at 11:11

AnnoyinC

426
4
17

0

votes

0 answers

Is the time leakage by comparing the hashes of two strings vulnerable?

It is obvious that if we compare two strings it is vulnerable to the time attack. I'm now wondering whether the time leakage is still a vulnerability if the comparison is done on the hash of those two strings? Isn't it vulnerable to any other kind…

security hash comparison timing-attack

asked Mar 22 '19 at 15:04

HmT

856
8
14

0

votes

1 answer

How could HMAC comparison ever not be constant-time in Python?

Python has a method specifically for comparing HMAC to prevent timing attacks: https://docs.python.org/3.7/library/hmac.html#hmac.compare_digest And I read about timing attacks here:…

python-3.x security hmac timing-attack

asked Mar 20 '19 at 12:41

davidtgq

3,780
10
43
80

0

votes

1 answer

Implementing a side channel timing attack

I'm working on a project implementing a side channel timing attack in C on HMAC. I've done so by computing the hex encoded tag and brute forcing byte-by-byte by taking advantage of strcmp's timing optimization. So for every digit in my test tag, I…

hmac macos timing-attack

asked Jun 09 '18 at 18:36

justan0therlurker

109
10

-1

votes

1 answer

How to have precise time in python for timing attacks?

I'd like to know why python gives me two different times when I re-order the two nested for loops. The difference is that significant that causes inaccurate results. This one almost gives me the result I expect to see: for i in range(20000): …

python time timing timing-attack side-channel-attacks

asked Nov 06 '22 at 16:02

D J

23
3

Questions tagged [timing-attack]