[kwlug-disc] Postgresql hash index as a mitigation of timing attack

Mikalai Birukou mb at 3nsoft.com
Wed Jun 6 16:06:19 EDT 2018 

Of cause, ids/secrets are not sequential. May be I wrote it a 
potentially confusing way.

When hacker makes guesses, he will be guessing first byte/letter, then 
second byte/letter, producing results like `a...`, `aD...`, etc. There 
is a sequence in which attacker approacher this search problem. But 
secrets themselves should be random.


On 2018-06-06 03:46 PM, Khalid Baheyeldin wrote:
> On Wed, Jun 6, 2018 at 2:52 PM, Mikalai Birukou via kwlug-disc 
> <kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>> wrote:
>
>
>     Sometimes we store secret session ids in db, and we use these for
>     authentication. Usually there is query that get respective record,
>     searching a table for a given by user session id.
>     Usual `WHERE` clause uses the most fast comparison, which run
>     timing is dependent on input values. This can be used as a base
>     for an attack with session id guessing via timing.
>
>
> Are the session IDs sequential? If so, then they should not (ideally) 
> be so.
>
> For example, in Drupal, when it wants to create a session, it calls 
> PHP's session_id() with a function that basically gets some random 
> bytes, does a base64 encode on them, and uses that as the session key.
>
> The random bytes are from a variety of sources: if OpenSSL is 
> installed, then pseudo random bytes from it are requests, otherwise, 
> /dev/urandom, process ID, microtime(), ....etc.
>
> So, nothing sequential gets used, or stored.
>
> -- 
> Khalid M. Baheyeldin
> 2bits.com <http://2bits.com>, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180606/218e2b1f/attachment.htm>

More information about the kwlug-disc mailing list