Verbose Logging

software development with some really amazing hair

T + G I F R

A Timing Attack In Action

· By Daniel Huckstep · Posted in Programming
Tagged with

Last week I wrapped up the chapter on the crypto package in Go, The Standard Library

Within the crypto package we have the crypto/subtle package. This package contains functions for doing constant time operations which are an important part of cryptography.

Constant time functions help prevent timing attacks which are caused when operations take different amounts of time to complete a task based on some input. When the time something takes leaks information about what's going on.

Comparing Strings

Let's look at a standard string comparison algorithm. For every character in a string, compare it to the character at the same index in the other string. If they are equal, try the next character. If not, return false. Pretty straight forward, but if the first character doesn't match, the function returns immediately. If the first character matches but the second doesn't, the function takes just a little bit longer. This difference is enough to measure, even on web applications. See these two papers for more on that. The functions in the crypto/subtle package use some bit twiddling to perform operations in a constant time.

Let's look at how this would work in Go: