Conversation
damusix
force-pushed
the
fix-jwt-constant-time-fix
branch
from
f976e25 to
39441a0
Compare
Marsup
force-pushed
the
fix-jwt-constant-time-fix
branch
from
39441a0 to
23ea282
Compare
kanongil
left a comment
kanongil
left a comment
There was a problem hiding this comment.
I understand this PR is coupled with hapijs/cryptiles#63, but I fail to understand why it needs to artificially spend time on structurally invalid signatures.
I'm guessing it is a security bit, but any attacker can trivially know the correct length of the signature. And for regular timing attacks, they require the actual content of the signature to be compared, so this makes no difference.
|
@kanongil the built-in crypto timesafe check throws on mismatching buffer lengths and reveals a mismatch. This was submitted as a security review. I swapped these arguments so it validates on our internally generated signature vs theirs, but youre right. Byte generation overhead reveals a timing difference due to length anyway. At least it hides dramatic time difference it had before. |
|
I guess you missed the OOB discussion. There is no point in hiding it. Even if it worked perfectly, it would only hide the length of the signature. Something that can trivially be derived from the used algorithm, or an existing non-forged token. |
3 participants
No description provided.