What is the preferred or recommended way to pursue contestant time compares when array lengths are not equal?
Should we exit as early as possible? Something like:
if (array1.size() != array2.size()) {
return NOT_EQUAL;
}
int accum = 0;
for(int i = 0; i < array1.size(); i++) {
accum |= array1[i] ^ array2[i];
}
return (accum == 0) ? EQUAL : NOT_EQUAL;
Or should we avoid the early exit, and compare as much as possible in hopes of masking as much as possible? Something like:
int size = min(array1.size(), array2.size());
int accum = (array1.size() ^ array2.size());
for(int i = 0; i < size; i++) {
accum |= array1[i] ^ array2[i];
}
return (accum == 0) ? EQUAL : NOT_EQUAL;
Or something else?
Or is this question more appropriate for the folks on the Crypto.SE because its theoretical minutia?
EDIT: this seems to be related to Timing attacks on password hashes. But the cited question is a particular instance of the generalized problem (and I'm interested in the generalized question).
I'm not sure I agree with the cited question's answer or assertion that "Using timing attacks in this case will in no way tell an attacker more than what he would know if he had the actual stored hash and salt..." because the attacker could be trying to recover the hashed password though timing attacks. Given a hashed password, its only a leap back to the password in some cases.
Aucun commentaire:
Enregistrer un commentaire