Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: sensitive data compare should use constant time compare to avoid timing attack #3508

Merged
merged 6 commits into from
Oct 8, 2024
Merged

fix: sensitive data compare should use constant time compare to avoid timing attack #3508

merged 6 commits into from
Oct 8, 2024

Conversation

nan01ab
Copy link
Contributor

@nan01ab nan01ab commented Oct 4, 2024

Description

RpcServer.CheckAuth use direct compare to determine two strings equal or not, but sensitive data compare should use constant time compare to avoid timing attack

Type of change

  • Optimization (the change is only an optimization)
  • Style (the change is only a code style for better maintenance or standard purpose)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

vncoelho
vncoelho reviewed Oct 4, 2024
View reviewed changes
Copy link
Member

@vncoelho vncoelho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand this timing attack. It looks correct and the XOR is quite efficient.
Although it does not look much critical to me in this specific case.

vncoelho
vncoelho previously approved these changes Oct 4, 2024
View reviewed changes
Jim8y
Jim8y previously approved these changes Oct 4, 2024
View reviewed changes
@Jim8y
Copy link
Contributor

Jim8y commented Oct 4, 2024
edited
Loading

side-channel attack is sort of hot in the research area~~~~ but not sure how industry see it.

@nan01ab nan01ab dismissed stale reviews from Jim8y and vncoelho via 0a5e52c October 6, 2024 02:48
shargon added a commit that referenced this pull request Oct 8, 2024
@shargon
Related to #3508 (comment)
0df5881
@shargon shargon mentioned this pull request Oct 8, 2024
Merged
15 tasks
@shargon shargon merged commit 331fa24 into neo-project:master Oct 8, 2024
7 checks passed
@Jim8y Jim8y deleted the fix.pass-contant-time-equals branch October 8, 2024 12:38
NGDAdmin pushed a commit that referenced this pull request Oct 9, 2024
@shargon @Jim8y
Related to #3508 (comment) (#3516)
a817e29 
Co-authored-by: Jimmy <jinghui@wayne.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shargon shargon shargon approved these changes

@Jim8y Jim8y Jim8y approved these changes

@roman-khimov roman-khimov roman-khimov approved these changes

@AnnaShaleva AnnaShaleva AnnaShaleva approved these changes

@vncoelho vncoelho vncoelho left review comments

Assignees
No one assigned
Labels
ready to merge waiting for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@nan01ab @Jim8y @shargon @vncoelho @roman-khimov @AnnaShaleva