1 / 7

Timing attacks on MAC verification

Online Cryptography Course Dan Boneh. Collision resistance. Timing attacks on MAC verification. Warning: verification timing attacks [L’09]. Example: Keyczar crypto library (Python) [simplified] def Verify (key, msg , sig_bytes ):

pillan
Download Presentation

Timing attacks on MAC verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Online Cryptography Course Dan Boneh Collision resistance Timing attacks on MACverification

  2. Warning: verification timing attacks [L’09] Example: Keyczar crypto library (Python) [simplified] defVerify(key, msg, sig_bytes): return HMAC(key, msg) == sig_bytes The problem: ‘==‘ implemented as a byte-by-byte comparison • Comparator returns false when first inequality found

  3. Warning: verification timing attacks [L’09] m , tag k target msgm Timing attack: to compute tag for target message m do: Step 1: Query server with random tag Step 2: Loop over all possible first bytes and query server. stop when verification takes a little longer than in step 1 Step 3: repeat for all tag bytes until valid tag found accept or reject

  4. Defense #1 Make string comparator always take same time (Python) : return false if sig_byteshas wrong length result = 0 for x, y in zip( HMAC(key,msg) , sig_bytes): result |= ord(x) ^ ord(y) return result == 0 Can be difficult to ensure due to optimizing compiler.

  5. Defense #2 Make string comparator always take same time (Python) : def Verify(key, msg, sig_bytes): mac = HMAC(key, msg) return HMAC(key, mac) == HMAC(key, sig_bytes) Attacker doesn’t know values being compared

  6. Lesson Don’t implement crypto yourself !

  7. End of Segment

More Related