1. 云栖社区>
  2. PHP教程>
  3. 正文

Paragon Initiative: Preventing Timing Attacks on String Comparison with a Double HMAC Strategy

作者:用户 来源:互联网 时间:2017-12-01 09:05:44

Paragon Initiative: Preventing Timing Attacks on String Comparison with a Double HMAC Strategy - 摘要: 本文讲的是Paragon Initiative: Preventing Timing Attacks on String Comparison with a Double HMAC Strategy, The Paragon Initiative has a post showing you how to prevent timing attacks when comparing stringsusing a double HMA

The Paragon Initiative has a post showing you how to prevent timing attacks when comparing stringsusing a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.

One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).

He points out that while the has_equalsapproach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functionscoming in PHP 7 ( ployfill available for this too).

以上是云栖社区小编为您精心准备的的内容,在云栖社区的博客、问答、公众号、人物、课程等栏目也有的相关内容,欢迎继续使用右上角搜索按钮进行搜索,以便于您获取更多的相关知识。