Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Trying to understand this function from Go, why make a function that always run in constant time and how does this work?

Tags:

go

I was encounter the following function crypto/subtle package which caused me a lot curiosity, wish someone can explain the purpose behind it. Thanks,

// ConstantTimeByteEq returns 1 if x == y and 0 otherwise.
    27  func ConstantTimeByteEq(x, y uint8) int {
    28      z := ^(x ^ y)
    29      z &= z >> 4
    30      z &= z >> 2
    31      z &= z >> 1
    32  
    33      return int(z)
    34  }
like image 333
Rn2dy Avatar asked Dec 05 '13 22:12

Rn2dy


1 Answers

It prevents timing attacks against cryptosystems: Any code path takes exactly the same amount of time.

If you are careless about timing you open up a sidechannel which leaks information about your secret. E.g. you could determine that the first character of a password is 'R' because the system fails 10ns faster if your wrong password starts with 'R'. Repeat with next character until you found the password.

Implementing cryptography is really hard. Really really hard.

like image 197
Volker Avatar answered Sep 20 '22 06:09

Volker