Skip to content

Needless measures to against timing attack #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Needless measures to against timing attack #43

wants to merge 2 commits into from

Conversation

creasty
Copy link

@creasty creasty commented Sep 8, 2014

I guess this secure comparation of two hash values isn't necessary.

According to the comment of Paŭlo Ebermann, he said:

if the attacker does know neither the used salt nor the stored hash,
I would guess that a timing of the comparison of calculated and stored hash will not give any information at all,
since every (even single bit) change of the password input will result in a completely different hash.
http://security.stackexchange.com/questions/9192/timing-attacks-on-password-hashes

So I removed secure_compare method.

@creasty
Copy link
Author

creasty commented Sep 8, 2014

This pull-req will revert #15 Fixes a theoretical timing attack, sorry for that.

@excpt excpt closed this Feb 25, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@creasty @excpt