[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Sat, 07 May 2011 05:14:12 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 May 2011 01:14:22 -0400
In-reply-to: <047.a1a8a1b6d0276e8c45d8f04fc24be6db@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.a1a8a1b6d0276e8c45d8f04fc24be6db@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#3122: Write and use constant-time comparison functions
-------------------------+--------------------------------------------------
 Reporter:  rransom      |          Owner:  ioerror           
     Type:  enhancement  |         Status:  new               
 Priority:  major        |      Milestone:  Tor: 0.2.1.x-final
Component:  Tor Client   |        Version:                    
 Keywords:               |         Parent:                    
   Points:               |   Actualpoints:                    
-------------------------+--------------------------------------------------

Comment(by rransom):

 Replying to [comment:8 nickm]:
 > III. Other things
 >
 > We need to look for other kinds of operations that alter control flow
 based on sensitive information.  This includes at minimum auditing hash
 tables and lookup functions.  This will be an ongoing thing.

 The solution here is to ''never'' use a secret string as a lookup key in
 an associative data structure.  One easy way to do this is to HMAC the
 secret lookup key with an ephemeral secret HMAC key; the result is not so
 secret, although we would still use our constant-time comparison functions
 within the data structure's implementation purely for performance reasons.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3122#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
Next by Author: Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
Previous by thread: Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
Next by thread: Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions
Index(es):
- Author
- Thread