Re: Is there a hidden channel in X authentication?

From: David Wagner (dawat_private)
Date: Tue May 22 2001 - 09:48:18 PDT

Next message: cory: "Re: Crash IE with shell://:"

Previous message: CJ Oster: "Re: Crash IE with shell://:"
In reply to: Michael Wojcik: "RE: Is there a hidden channel in X authentication?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael Wojcik  wrote:
>In any case, it's easy enough to mask the time by using a hand-coded
>comparison loop that always compares all the bytes and sets a flag if any of
>them differ.

A nice approach is to do what Unix password authentication does:
Hash both inputs, and then check if the hashes are the same.  The latter
comparison can be done with memcmp(), because the timing side-channel
reveals nothing if the hash is one-way.

Next message: cory: "Re: Crash IE with shell://:"
Previous message: CJ Oster: "Re: Crash IE with shell://:"
In reply to: Michael Wojcik: "RE: Is there a hidden channel in X authentication?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 21:58:42 PDT