Vulnerability Development mailing list archives

Re: Is there a hidden channel in X authentication?

From: daw () mozart cs berkeley edu (David Wagner)
Date: 22 May 2001 16:48:18 GMT

Michael Wojcik  wrote:

In any case, it's easy enough to mask the time by using a hand-coded
comparison loop that always compares all the bytes and sets a flag if any of
them differ.


A nice approach is to do what Unix password authentication does:
Hash both inputs, and then check if the hashes are the same.  The latter
comparison can be done with memcmp(), because the timing side-channel
reveals nothing if the hash is one-way.

Current thread:

Is there a hidden channel in X authentication? Klaus Frank (May 17)
- Re: Is there a hidden channel in X authentication? Matt Conover (May 21)
- Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 21)
  - Re: Is there a hidden channel in X authentication? Klaus Frank (May 22)
  - Re: Is there a hidden channel in X authentication? David Wagner (May 22)
  - Re: Is there a hidden channel in X authentication? Martin Rex (May 23)
  - Re: Is there a hidden channel in X authentication? wwieser (May 27)
    - Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 28)
- <Possible follow-ups>
- RE: Is there a hidden channel in X authentication? Michael Wojcik (May 21)
  - RE: Is there a hidden channel in Xauthentication? Klaus Frank (May 22)
  - Re: Is there a hidden channel in X authentication? David Wagner (May 22)