Vulnerability Development mailing list archives
Re: Is there a hidden channel in X authentication?
From: daw () mozart cs berkeley edu (David Wagner)
Date: 22 May 2001 16:48:18 GMT
Michael Wojcik wrote:
In any case, it's easy enough to mask the time by using a hand-coded comparison loop that always compares all the bytes and sets a flag if any of them differ.
A nice approach is to do what Unix password authentication does: Hash both inputs, and then check if the hashes are the same. The latter comparison can be done with memcmp(), because the timing side-channel reveals nothing if the hash is one-way.
Current thread:
- Is there a hidden channel in X authentication? Klaus Frank (May 17)
- Re: Is there a hidden channel in X authentication? Matt Conover (May 21)
- Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 21)
- Re: Is there a hidden channel in X authentication? Klaus Frank (May 22)
- Re: Is there a hidden channel in X authentication? David Wagner (May 22)
- Re: Is there a hidden channel in X authentication? Martin Rex (May 23)
- Re: Is there a hidden channel in X authentication? wwieser (May 27)
- Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 28)
- <Possible follow-ups>
- RE: Is there a hidden channel in X authentication? Michael Wojcik (May 21)
- RE: Is there a hidden channel in Xauthentication? Klaus Frank (May 22)
- Re: Is there a hidden channel in X authentication? David Wagner (May 22)