php-openid icon indicating copy to clipboard operation
php-openid copied to clipboard
verified publisher icon openid

security hole?

Open getify opened this issue 15 years ago • 3 comments

http://lists.openid.net/pipermail/openid-security/2010-July/001156.html

I'm wondering if you guys are aware of this report and if it affects your implementations (specifically your PHP5 one)? I use your lib but I want to know if it's got an issue that needs to be addressed?

getify avatar Jul 16 '10 03:07 getify

I've whipped up a quick patch that implements the recommended style of constant-time string comparison:

http://github.com/brion/php-openid/commit/69892130667c32fc30a2e1e6ba21e5cf448268cd

I've done a little ad-hoc testing, but this code HAS NOT YET BEEN REVIEWED by someone who knows what they're doing; since the code runs several orders of magnitude slower than a low-level strcmp(), any new timing flaw here could be even easier to detect.

Use at your own risk!

bvibber avatar Jul 17 '10 21:07 bvibber

Given the performance impact you have mentioned, could this issue be alleviated by performing an nonce check before validation of the signature? I realize this does not eliminate the potential of a timing attack in checking the HMAC - however, if the nonce is being verified first, then it would eliminate an attackers ability to perform the timing attack as they would be rejected before reaching the HMAC verification...

dermidgen avatar Jul 28 '10 23:07 dermidgen

Regardless of the nonce checking... Your results are actually spot on...

http://lists.openid.net/pipermail/openid-security/2010-July/001181.html

This should provide some level of clarity on why this works. If I'm understanding correctly - the timing attack is aggravated by the lengthening of time on non-matching signatures - while matching signatures experience solid performance. It's a little confusing as I understand the timing attack likes the extra time spent on failure to figure out that it's getting closer and closer to the correct value. However, I'm guessing that if the timing is mucked with in this way it makes it difficult to ever get narrowed down to a value.

Regardless, it would seem that combining upfront nonce checking and the XOR validation of the HMAC as you patched in - should be pretty rock solid.

It's also interesting to note the results in .NET where you basically get the same kind of experience...

http://lists.openid.net/pipermail/openid-security/2010-July/001191.html

dermidgen avatar Jul 29 '10 00:07 dermidgen

This repo is being archived. Closing issue.

timcappalli avatar Jul 24 '23 18:07 timcappalli