Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Python: Bugs

[issue14532] multiprocessing module performs a time-dependent hmac comparison

  

 
First page Previous page 1 2 Next page Last page  View All Python bugs RSS feed   Index | Next | Previous | View Threaded


report at bugs

Apr 18, 2012, 1:22 PM

Post #26 of 35 (63 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Jon Oberheide <jon [at] oberheide> added the comment:

v3 patch, based on feedback from the review here: http://bugs.python.org/review/14532/show

----------
Added file: http://bugs.python.org/file25262/hmac-time-independent-v3.patch

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

Apr 19, 2012, 1:49 PM

Post #27 of 35 (63 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Charles-François Natali <neologix [at] free> added the comment:

> v3 patch, based on feedback from the review here: http://bugs.python.org/review/14532/show

Looks good to me.
One last thing (sorry for not bringing this up earlier): I don't like
bikeshedding, but at least to me, `time_independent_equals` is a bit
too long to type, and sounds reductive (we don't want to specifically
avoid only timing attacks, but provide a way to compare digests
securely).
What do you (all) think of something shorter, like `secure_compare`,
`secure_equals`, or something along those lines?
Note that I'm not good at finding names, so if others are fine with
the current one, I won't object ;-)

----------

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

Apr 19, 2012, 1:55 PM

Post #28 of 35 (62 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Jon Oberheide <jon [at] oberheide> added the comment:

I have used the name "secure_compare" in the past for such a function. That said, I don't have strong feelings either way about the naming, so I'll yield to the others.

----------

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

Apr 22, 2012, 7:02 AM

Post #29 of 35 (58 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Charles-François Natali <neologix [at] free> added the comment:

> I have used the name "secure_compare" in the past for such a function. That
> said, I don't have strong feelings either way about the naming, so I'll
> yield to the others.

I prefer this name too.
Wait one day or two (to let others chime in if they want), and upload
a new patch with that change :-)

----------

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

Apr 29, 2012, 11:06 PM

Post #30 of 35 (54 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Jon Oberheide <jon [at] oberheide> added the comment:

Ok, patch v4 uploaded. Only change is the rename to "secure_compare".

----------
Added file: http://bugs.python.org/file25414/hmac-time-independent-v4.patch

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

Apr 30, 2012, 10:02 AM

Post #31 of 35 (54 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Changes by Charles-François Natali <neologix [at] free>:


----------
stage: -> commit review

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

May 1, 2012, 1:52 AM

Post #32 of 35 (54 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
STINNER Victor <victor.stinner [at] gmail> added the comment:

> However, this generally is not a security risk.

You should explain what you already said: it is not a risk because the
length of a HMAC is fixed.

----------

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

May 1, 2012, 8:40 AM

Post #33 of 35 (55 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Jon Oberheide <jon [at] oberheide> added the comment:

> You should explain what you already said: it is not a risk because the
> length of a HMAC is fixed.

Well, that's not entirely accurate. Exposing the length of the HMAC can expose what underlying hash is being used (eg. HMAC-SHA1 has different length than HMAC-MD5). It's generally not considered a risk since exposing the algorithm being used shouldn't impact your security (unless you're doing it very wrong).

----------

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

May 13, 2012, 10:53 AM

Post #34 of 35 (43 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Roundup Robot <devnull [at] psf> added the comment:

New changeset ddcc8ee680d7 by Charles-François Natali in branch 'default':
Issue #14532: Add a secure_compare() helper to the hmac module, to mitigate
http://hg.python.org/cpython/rev/ddcc8ee680d7

----------
nosy: +python-dev

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com


report at bugs

May 14, 2012, 12:50 AM

Post #35 of 35 (43 views)
Permalink
[issue14532] multiprocessing module performs a time-dependent hmac comparison [In reply to]
Charles-François Natali <neologix [at] free> added the comment:

Committed.
Jon, thanks for your patch and your patience!

----------
resolution: -> fixed
stage: commit review -> committed/rejected
status: open -> closed

_______________________________________
Python tracker <report [at] bugs>
<http://bugs.python.org/issue14532>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

First page Previous page 1 2 Next page Last page  View All Python bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.