Keys subject to timing attacks #2
Comments
|
Oops, secret keys are 64 chars long (not 32) as I first read; so you're safe as long as no one uses a secret key as a table key. Still though: I think you'd be better off if you used a userdata. |
|
Thanks for the heads up. I probably don't understand enough about how string interning works. How could it be exploited for timing attack? Secret keys are 64 bytes only for the ed25519 signature functions. I use 32-byte secret keys in many places here and in other libraries of mine. So I 'd better understand this issue! |
When a short string is created in lua it undergoes "interning" -> meaning that lua will index the internal copy of it, so that if someone pushes the same string again it doesn't have to store it twice. When this occurs, it takes a slightly different amount of time to check if a string is already interned on not, depending on a common prefix (due to use of To see where this may hurt imagine you have a http server that uses lua to process requests and sign a response: e.g. each string in an json api request will be converted to a lua string, allowing a remote attacker to try and probe for your secret key. |
|
Thanks for the explanation. I must give it a serious look. |
|
I am still thinking about this one. |
|
I think you should return keys as userdata. Then have some method on that userdata |
By storing private keys in lua strings < LUAI_MAXSHORTLEN (40) characters long, you're exposing them to a potential timing attack due to interning.
Please return keys inside of some type of userdata so that they don't get interned.
The text was updated successfully, but these errors were encountered: