Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OMEMO - Timing Side-Channel in HMAC Comparison #646

Open
soatok opened this issue Aug 10, 2024 · 2 comments
Open

OMEMO - Timing Side-Channel in HMAC Comparison #646

soatok opened this issue Aug 10, 2024 · 2 comments
Labels

Comments

@soatok
Copy link

soatok commented Aug 10, 2024

Originally disclosed here.

if (messageAuthenticationCode != expectedMessageAuthenticationCode) {

Explainers:

  1. https://soatok.blog/2020/08/27/soatoks-guide-to-side-channel-attacks/
  2. https://security.stackexchange.com/a/74552

This defect is a problem with the OMEMO specification. It should have called out the specific steps that implementors follow to prevent this sort of side-channel attack.

@lnjX
Copy link
Member

lnjX commented Aug 21, 2024

So the issue is that an attacker could gain information about the real hmac because of the non-constant time comparison, right? I'd guess that this isn't realistic when triggering this remotely via network, but still of course this could be improved.

I didn't find a commonly used constant-time string comparison function in the standard library or QCA. Do you have any recommendations?

And have you considered making a proposal to update the spec?

@soatok
Copy link
Author

soatok commented Aug 21, 2024

I didn't find a commonly used constant-time string comparison function in the standard library or QCA. Do you have any recommendations?

https://github.com/jedisct1/libsodium/blob/1012bbc380c81bf7782a85d43c2c9ed7caf8c8b9/src/libsodium/sodium/utils.c#L186-L208

And have you considered making a proposal to update the spec?

After the misconduct of one of the spec authors, I'm avoiding talking to them at all. Feel free to suggest it if you think it's a good use of your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants