mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
39e1ddec2e
This tool shows that it is trivial to re-construct the value memcmp() compares against by just measuring the time the non-time-constant memcmp() requires to fail. It also shows that even when running without any network latencies it gets very difficult to reconstruct MAC/ICV values, as the time variances due to the crypto routines are large enough that it gets difficult to measure the time that memcmp() actually requires after computing the MAC. However, the faster/time constant an algorithm is, the more likely is a successful attack. When using AES-NI, it is possible to reconstruct (parts of) a valid MAC with this tool, for example with AES-GCM. While this is all theoretical, and way more difficult to exploit with network jitter, it nonetheless shows that we should replace any use of memcmp/memeq() with a constant-time alternative in all sensitive places.
19 lines
181 B
Plaintext
19 lines
181 B
Plaintext
aes-test
|
|
bin2array
|
|
bin2sql
|
|
crypt_burn
|
|
dh_speed
|
|
dnssec
|
|
fetch
|
|
hash_burn
|
|
id2sql
|
|
key2keyid
|
|
keyid2sql
|
|
malloc_speed
|
|
oid2der
|
|
pubkey_speed
|
|
settings-test
|
|
thread_analysis
|
|
tls_test
|
|
timeattack
|