Solved

What is a timing leak? (in plain english)

Posted on 2016-09-28
7
38 Views
Last Modified: 2016-09-28
Even though I am new to programming, I want to try do things as securely as possible as I learn to do basic things. I am getting to cookie security and came across a really great security website. Some of it is over my head though such as preventing timing leaks. The first part seems simple enough which is to generate a unique token when users check the “remember me” checkbox.
function generateToken($length = 20)
{
    return bin2hex(random_bytes($length));
}

Open in new window


I don’t want to post the entire article here unless that is okay with everyone (please let me know if I can) otherwise here is a link to the article.
They basically say, “Even if you're using a cryptographically secure random number generator, but your cookie looks like rememberme=WBWgm2oMFxsiGRGQNJ6n8gtN3gOuQ2wjN8ZRjZtU0Mn and you're storing these tokens in a database table that looks like this:

CREATE TABLE `auth_tokens` ( `id` integer(11) not null UNSIGNED AUTO_INCREMENT, `token` char(33), `userid` integer(11) not null UNSIGNED, `expires` integer(11), -- or datetime PRIMARY KEY (`id`) );
(And a look-up query might look something like this...)
SELECT * FROM auth_tokens WHERE token = 'WBWgm2oMFxsiGRGQNJ6n8gtN3gOuQ2wjN8ZRjZtU0Mn';

Open in new window


Watch out, an esoteric and nontrivial attack still exists."

Then it goes on about timing leaks.
If anyone would be prepared to take the time to explain this in plain English I would be really grateful. I really want to implement this but want to know what I am doing and why I am doing it.

https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
0
Comment
Question by:Black Sulfur
  • 4
  • 2
7 Comments
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 250 total points
ID: 41819494
I think it's suggesting an attacker could keep trying different tokens and measure the response time in order to build a valid token.

I suppose it may even take 100 or 1000 or more requests using one particular token to get an accurate response time, but if there's no throttling or limiting of number of attempts then it can be tried.

Each time a token response time is recorded accurately, another token (one character different) could be submitted, and the response time compared. If the response is longer, then that might be because the first character of the token was correct, and the database took longer to figure out that the remainder of the token wasn't correct. Keep doing this, and a valid token may be able to be constructed without having to try every single possible combination of characters.

Does that make sense?

This kind of attack could probably be defeated by limiting the number of attempts from any given IP address, delaying the response etc.
0
 
LVL 51

Accepted Solution

by:
Julian Hansen earned 250 total points
ID: 41819522
The attack uses the fact that comparison techniques tend to be time efficient in that as soon as they encounter an incorrect match the comparison terminates.
Comparing say
abc and adc

Will take quicker than
abc and abd

Simply because in the second instance there are two consecutive correct matches whereas in the first the process terminates after the first - making it run in approximately half the time.

By trial and error one can guess the target string by measuring the time.

The solution is to use functions that take constant time - in other words the check takes the same amount of time irrespective of incorrect matches
so comparing afd to abc will take the same amount of time to complete as comparing abc to abc.
By making functions constant time the potential for timing attacks is diminished.
0
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 41819525
Another solution (which can be used in parallel or separately) is to use a time limit on requests - only a certain number of requests can be made within a specific time period - this limits the hacker by slowing down the process enough that a brute force attack takes exponentially longer - on probability beyond the lifespan of the session.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Black Sulfur
ID: 41819529
Thanks so much. It is starting to make sense. I just still don't understand the prevention method using the database?

"Our proposed strategy deviates from the above simple token-based automatic login system in one crucial way: Instead of only storing a random token in a cookie, we store selector:validator.

selector is a unique ID to facilitate database look-ups, while preventing the unavoidable timing information from impacting security. (This is preferable to simply using the database id field, which leaks the number of active users on the application.)"

CREATE TABLE `auth_tokens` (
    `id` integer(11) not null UNSIGNED AUTO_INCREMENT,
    `selector` char(12),
    `token` char(64),
    `userid` integer(11) not null UNSIGNED,
    `expires` datetime,
    PRIMARY KEY (`id`)
);

Open in new window


On the database side of things, the validator is not stored wholesale; instead, the SHA-256 hash of validator is stored in the database, while the plaintext is stored (with the selector) in the user's cookie. With this fail-safe in place, if somehow the auth_tokens table is leaked, immediate widespread user impersonation is prevented.

The automatic login algorithm looks something like:

Separate selector from validator.
Grab the row in auth_tokens for the given selector. If none is found, abort.
Hash the validator provided by the user's cookie with SHA-256.
Compare the SHA-256 hash we generated with the hash stored in the database, using hash_equals().
If step 4 passes, associate the current session with the appropriate user ID."

Being new to all of this, I haven't heard of using a database with a cookie. I thought you just set a cookie, gave it an expiry date and off you go.
0
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 41819562
The cookie is used to store a key into a database table where you usually store session information. It is fairly common practice

I think their approach is to remove  validator - which can be guessed with the timing attack - from the retrieval of the session data. By making the lookup on some other value (the id) - the validator check is then done with another process after the database record has been found. They imply that hash_equals is a constant time function which then removes the timing from the comparison of the validator with the stored value.
0
 

Author Comment

by:Black Sulfur
ID: 41819848
There must be some pretty bored people out there if they are going to try timing with this:

WBWgm2oMFxsiGRGQNJ6n8gtN3gOuQ2wjN8ZRjZtU0Mn

Is this a serious threat and should I worry about it for small applications or would I be okay just generating random strings and using that for my remember me cookie like:

rememberme=WBWgm2oMFxsiGRGQNJ6n8gtN3gOuQ2wjN8ZRjZtU0Mn ?
0
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 41820207
It comes down to how valuable your data / app is. If the benefit is not worth the effort required then there is reduced incentive. There is always the chance someone wants to break in - but for the most part it is reward for effort that governs whether someone will try.

For small sites though I would not worry about it.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now