[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9138)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9138)
From: hyc@symas.com
Date: Fri, 13 Dec 2019 05:11:16 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

scf@ieee.org wrote:
> Howards mentioned in another wrongly submitted issue (#9139) that
> "memcmp.c isn't even referenced in the Makefile, so none of this code
> is used." Here is the clarification, even if memcmp.c is not used, gcc
> or other compilers' implementations of memcmp is still unsafe
> (https://github.com/gcc-mirror/gcc/blob/master/libiberty/memcmp.c).
> 
Even so, it's largely irrelevant. The default password storage scheme is a
salted hash, not CLEARTEXT. The cleartext code isn't even compiled unless
you explicitly configure to enable SLAPD_CLEARTEXT, and that is always
disabled by default.

In the normal case, where any form of hash is used, the likelihood of gaining
any useful timing information from a bytewise compare of two hashes is nil.
The attacker would need to know the salt and the hash algo itself would have
to be vulnerable to chosen-plaintext attacks for them to be able to leverage
the timing and determine match lengths.

Can you actually demonstrate a password extraction attack using memcmp timing
side-channel against salted SHA1?

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#9137) slappasswd generate wrong SSHA from file
Next by Date: Re: (ITS#9137) slappasswd generate wrong SSHA from file
Index(es):
- Chronological
- Thread