Comments on: Protecting your cake site against timing attacks http://duckranger.com/2010/07/protecting-your-cake-site-against-timing-attacks/ JUST DOING IT Wed, 16 May 2012 06:51:23 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Simon Rupf http://duckranger.com/2010/07/protecting-your-cake-site-against-timing-attacks/comment-page-1/#comment-2075 Simon Rupf Wed, 10 Aug 2011 16:51:05 +0000 http://duckranger.com/?p=406#comment-2075 Is there a performance improvement involved in calculating the number of milliseconds to sleep yourself instead of letting mt_rand do that for you? Example: <code>usleep(mt_rand(0, 3000));</code> @Adler: I suppose your scenario is to call the script a couple hundred times and record the timing, then take the median of those times? Would that really work on timing attacks? As far as I understand them, they rely on finding the needle in the haystack by trial an error. So the median would not help you recognise that certain value, as that special value might be much higher or lower as that median due to the sleep. Or am I missing something? Is there a performance improvement involved in calculating the number of milliseconds to sleep yourself instead of letting mt_rand do that for you? Example:

usleep(mt_rand(0, 3000));

@Adler: I suppose your scenario is to call the script a couple hundred times and record the timing, then take the median of those times? Would that really work on timing attacks? As far as I understand them, they rely on finding the needle in the haystack by trial an error. So the median would not help you recognise that certain value, as that special value might be much higher or lower as that median due to the sleep. Or am I missing something?

]]> By: Duck Ranger http://duckranger.com/2010/07/protecting-your-cake-site-against-timing-attacks/comment-page-1/#comment-1284 Duck Ranger Sun, 27 Feb 2011 10:18:46 +0000 http://duckranger.com/?p=406#comment-1284 @Adler - I may have misunderstood what you were trying to say, but I think you are talking about a completely different thing. Cheers @Adler – I may have misunderstood what you were trying to say, but I think you are talking about a completely different thing.

Cheers

]]> By: E Adler http://duckranger.com/2010/07/protecting-your-cake-site-against-timing-attacks/comment-page-1/#comment-1283 E Adler Fri, 25 Feb 2011 02:13:37 +0000 http://duckranger.com/?p=406#comment-1283 Adding these two lines does not protect from said timing attacks. It only increases the number of samplings an attacker must make to determine the password. What you should be doing is using a constant time algorithm to compare said passwords in order to prevent the timing attack from working in the first place. Adding these two lines does not protect from said timing attacks. It only increases the number of samplings an attacker must make to determine the password. What you should be doing is using a constant time algorithm to compare said passwords in order to prevent the timing attack from working in the first place.

]]> By: V V http://duckranger.com/2010/07/protecting-your-cake-site-against-timing-attacks/comment-page-1/#comment-490 V V Mon, 06 Sep 2010 17:30:32 +0000 http://duckranger.com/?p=406#comment-490 Thanks for this tip! I found adding this to the Security hash function slowed down every page request. Instead I added the same 2 lines to password function in the Auth component, just before the call to Security::hash. Thanks for this tip! I found adding this to the Security hash function slowed down every page request. Instead I added the same 2 lines to password function in the Auth component, just before the call to Security::hash.

]]>