摘要： 本文讲的是Paragon Initiative: Preventing Timing Attacks on String Comparison with a Double HMAC Strategy， The Paragon Initiative has a post showing you how to prevent timing attacks when comparing stringsusing a double HMA
The Paragon Initiative has a post showing you how to prevent timing attacks when comparing stringsusing a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.
One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).
He points out that while the has_equalsapproach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functionscoming in PHP 7 ( ployfill available for this too).
|warn-sparkR install ...||J2EE学习笔记(3) Struts L...||从beta2转移到rtm的差别列表|
|...rging 'org/apache/commons/beanutils/Constructo...||...ge, request, session, application, "any scope" (def...||... a complete stack walk, because the former does not...|