[security] Widespread Timing Vulnerabilities in OpenID implementations
James A. Donald
jamesd at echeque.com
Sat Jul 17 07:20:24 UTC 2010
>> I record the time I receive a packet as a matter of course. It would
>> not be difficult to write some code that ensures that the time take to
>> return an error is quantized at a pretty coarse level (10ms or so).
On 2010-07-17 4:16 AM, Nate Lawson wrote:
> The attack then evolves to:
>
> 1. Ping server with correct login to known account, timing for expected
> RTT on success.
> 2. Perform timing attack on forged cookie:
> a. Each guess, wait predicted RTT+epsilon. If server has not responded
> by deadline, issue TCP RST and connect again.
> b. Parallelize this to guess across multiple sessions
This does not work.
The essence of a timing attack is that instead of the response telling
the attacker whether his guess was right or wrong, it tells the attacker
how wrong his guess was, so he can zero in in small steps. If the delay
on an error response is coarsely quantized, then it does *not* tell the
attacker how wrong his guess was.
More information about the security
mailing list