Mailing List Archive: [issue14532] multiprocessing module performs a time-dependent hmac comparison

Mailing List Archive: Python: Bugs
[issue14532] multiprocessing module performs a time-dependent hmac comparison

Index | Next | Previous | View Flat

report at bugs

Apr 8, 2012, 1:27 PM

Views: 147
Permalink

[issue14532] multiprocessing module performs a time-dependent hmac comparison

New submission from Jon Oberheide <jon [at] oberheide>:

The multiprocessing module performs a time-dependent comparison of the HMAC digest used for authentication:

def deliver_challenge(connection, authkey):
import hmac
assert isinstance(authkey, bytes)
message = os.urandom(MESSAGE_LENGTH)
connection.send_bytes(CHALLENGE + message)
digest = hmac.new(authkey, message).digest()
response = connection.recv_bytes(256) # reject large message
if response == digest:
connection.send_bytes(WELCOME)
else:
connection.send_bytes(FAILURE)
raise AuthenticationError('digest received was wrong')

This comparison should be made time-independent as to not leak information about the expected digest and allow an attacker to derive the full digest.

More info on such timing attacks:

http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/
http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/

----------
components: Library (Lib)
messages: 157809
nosy: Jon.Oberheide
priority: normal
severity: normal
status: open
title: multiprocessing module performs a time-dependent hmac comparison

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

Subject	User	Time
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 8, 2012, 1:27 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 8, 2012, 2:45 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 9, 2012, 3:52 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 10, 2012, 1:41 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 12:22 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 12:22 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 1:47 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 4:25 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 6:51 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 6:53 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 7:18 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 7:27 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 7:41 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 7:53 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 8:11 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 8:29 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 2:18 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 3:06 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 9:44 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 11, 2012, 11:41 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 12, 2012, 6:59 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 12, 2012, 7:08 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 12, 2012, 7:18 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 12, 2012, 7:20 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 12, 2012, 2:23 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 18, 2012, 1:22 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 29, 2012, 11:06 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	May 13, 2012, 10:53 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 30, 2012, 10:02 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	May 14, 2012, 12:50 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	May 1, 2012, 1:52 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	May 1, 2012, 8:40 AM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 19, 2012, 1:49 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 19, 2012, 1:55 PM
[issue14532] multiprocessing module performs a time-dependent hmac comparison	report at bugs	Apr 22, 2012, 7:02 AM

Index | Next | Previous | View Flat

Interested in having your list archived? Contact Gossamer Threads