BaSzErr - blog:2016:03:07 https://www.baszerr.eu/ Wed, 06 May 2026 09:45:54 +0000 FeedCreator 1.8 https://www.baszerr.eu/lib/exe/fetch.php?media=wiki:dokuwiki.svg BaSzErr https://www.baszerr.eu/ comparing_hashes https://www.baszerr.eu/doku.php?id=blog:2016:03:07:comparing_hashes <h1 class="sectionedit1" id="comparing_hashes">2016-03-07 - comparing hashes</h1> <div class="level1"> <p> let&#039;s take a simple task – check if user-provided password is equal to the one stored in a DB. of course we&#039;re not storing plain-text passwords and operate of properly slated hashes instead. </p> <p> how hard can it be? </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;2016-03-07 - comparing hashes&quot;,&quot;hid&quot;:&quot;comparing_hashes&quot;,&quot;codeblockOffset&quot;:0,&quot;secid&quot;:1,&quot;range&quot;:&quot;1-260&quot;} --> <h2 class="sectionedit2" id="attempt_1just_do_it">attempt #1: just do it!</h2> <div class="level2"> <p> hey ma! it&#039;s trivial! </p> <pre class="code c">bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="kw1">return</span> dbHash <span class="sy0">==</span> userHash<span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> …and KABOOM! </p> <p> <a href="https://www.baszerr.eu/lib/exe/detail.php?id=blog%3A2016%3A03%3A07%3Acomparing_hashes&amp;media=blog:2016:03:07:nukeepicfail.jpg" class="media" title="blog:2016:03:07:nukeepicfail.jpg"><img src="https://www.baszerr.eu/lib/exe/fetch.php?w=400&amp;tok=d6b77b&amp;media=blog:2016:03:07:nukeepicfail.jpg" class="media" loading="lazy" title="Fpic Eail" alt="Fpic Eail" width="400" /></a> </p> <p> using <a href="https://en.wikipedia.org/wiki/timing attack" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/timing attack">timing attack</a> user&#039;s password hash can be broken in <strong>O(N)</strong>, where N is hash length, effectively giving… <strong>O(1)</strong> (with just a bit of statistical overhead)! </p> <p> classic – fortunately more and more ppl are aware of this nowadays. let us proceed to… </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;attempt #1: just do it!&quot;,&quot;hid&quot;:&quot;attempt_1just_do_it&quot;,&quot;codeblockOffset&quot;:0,&quot;secid&quot;:2,&quot;range&quot;:&quot;261-780&quot;} --> <h2 class="sectionedit3" id="attempt_2const-time_implementation">attempt #2: const-time implementation</h2> <div class="level2"> <p> ok, ok - so we need timing-independent algorithm for comparisons. giving it a bit though, you&#039;ll come up with something like: </p> <pre class="code c">bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="co1">// step 1</span> <span class="kw1">if</span><span class="br0">&#40;</span> dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="sy0">!=</span> userHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="br0">&#41;</span> <span class="kw1">return</span> <span class="kw2">false</span><span class="sy0">;</span> <span class="co1">// step 2</span> std<span class="sy0">::</span><span class="me2">string</span><span class="sy0">::</span><span class="me2">value_type</span> hasNonEquals <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span> <span class="kw1">for</span><span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span><span class="sy0">::</span><span class="me2">size_type</span> i<span class="sy0">=</span><span class="nu0">0</span><span class="sy0">;</span> i<span class="sy0">&lt;</span>dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span> <span class="sy0">++</span>i<span class="br0">&#41;</span> hasNonEquals <span class="sy0">|=</span> dhHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span> <span class="sy0">^</span> userHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span><span class="sy0">;</span> <span class="kw1">return</span> not hasNonEquals<span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> first – step 1. didn&#039;t we just leaked hash length? well… this is common knowledge, thus not a problem here. </p> <p> so – step 2. implementation looks fine – no branches, all characters always checked and final result is just simple check if there were no mismatches. it looks fine and may even work. unfortunately, if you happen to have a very clever compiler, it will notice that the above code is <em>functionally equivalent</em> to: </p> <pre class="code c">bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="co1">// step 1</span> <span class="kw1">if</span><span class="br0">&#40;</span> dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="sy0">!=</span> userHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="br0">&#41;</span> <span class="kw1">return</span> <span class="kw2">false</span><span class="sy0">;</span> <span class="co1">// step 2</span> <span class="kw1">for</span><span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span><span class="sy0">::</span><span class="me2">size_type</span> i<span class="sy0">=</span><span class="nu0">0</span><span class="sy0">;</span> i<span class="sy0">&lt;</span>dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span> <span class="sy0">++</span>i<span class="br0">&#41;</span> <span class="kw1">if</span><span class="br0">&#40;</span> dhHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span> <span class="sy0">^</span> userHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span> <span class="br0">&#41;</span> <span class="kw1">return</span> <span class="kw2">false</span><span class="sy0">;</span> <span class="kw1">return</span> <span class="kw2">true</span><span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> and even saves some stack space! well – optimizations are awesome, except when they are not. ;) </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;attempt #2: const-time implementation&quot;,&quot;hid&quot;:&quot;attempt_2const-time_implementation&quot;,&quot;codeblockOffset&quot;:1,&quot;secid&quot;:3,&quot;range&quot;:&quot;781-2142&quot;} --> <h2 class="sectionedit4" id="attempt_3disabling_some_optimizations">attempt #3: disabling (some) optimizations</h2> <div class="level2"> <p> can we disable optimizations for certain variables? how about using a <strong>volatile</strong> variable… </p> <pre class="code c">bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="co1">// step 1</span> <span class="kw1">if</span><span class="br0">&#40;</span> dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="sy0">!=</span> userHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span> <span class="br0">&#41;</span> <span class="kw1">return</span> <span class="kw2">false</span><span class="sy0">;</span> <span class="co1">// step 2</span> <span class="kw4">volatile</span> std<span class="sy0">::</span><span class="me2">string</span><span class="sy0">::</span><span class="me2">value_type</span> hasNonEquals <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span> <span class="co1">// &lt;&lt;&lt;&lt; ...RIGHT HERE</span> <span class="kw1">for</span><span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span><span class="sy0">::</span><span class="me2">size_type</span> i<span class="sy0">=</span><span class="nu0">0</span><span class="sy0">;</span> i<span class="sy0">&lt;</span>dhHash.<span class="me1">size</span><span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span> <span class="sy0">++</span>i<span class="br0">&#41;</span> hasNonEquals <span class="sy0">|=</span> dhHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span> <span class="sy0">^</span> userHash<span class="br0">&#91;</span>i<span class="br0">&#93;</span><span class="sy0">;</span> <span class="kw1">return</span> not hasNonEquals<span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> <abbr title="In my humble opinion">IMHO</abbr> this should do. we could probably stop at this point. we are stepping on a thin ice here, though. </p> <p> first of all volatile is crucial and non-obvious part here. if some1 in one year time will come and say <em>hey – what a moron put this volatile here?</em>, we&#039;re screwed. </p> <p> technically speaking, even though we&#039;re guaranteed compiler will not touch our volatile reads and writes, instructions can still get reorganized, a helper variable can be used to store intermediates, etc… in theory at least. i&#039;d not reasonably expect it to happen, but when it comes to cryptography – better be safe than sorry. </p> <p> last but not least – above approach is <a href="https://en.wikipedia.org/wiki/C++" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/C++">C++</a>-specific trick. note that <em>volatile</em> has different meanings in different programming languages! for instance in <a href="https://en.wikipedia.org/wiki/C Sharp (programming language)" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/C Sharp (programming language)">C#</a> and <a href="https://en.wikipedia.org/wiki/Java (Programming language)" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/Java (Programming language)">Java</a> it is equivalent to <em>std::atomic</em> variables in C++. you&#039;ll not be able to use similar method in <a href="https://en.wikipedia.org/wiki/Python (programming language)" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/Python (programming language)">Python</a> or <a href="https://en.wikipedia.org/wiki/PHP" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/PHP">PHP</a> too. </p> <p> can there be more generic approach? </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;attempt #3: disabling (some) optimizations&quot;,&quot;hid&quot;:&quot;attempt_3disabling_some_optimizations&quot;,&quot;codeblockOffset&quot;:3,&quot;secid&quot;:4,&quot;range&quot;:&quot;2143-3736&quot;} --> <h2 class="sectionedit5" id="attempt_4generic_approach">attempt #4: generic approach</h2> <div class="level2"> <p> can this be done? i&#039;ve asked myself the same question this weekend and a solution crossed my mind. we need to have a logic complex enough to hide compile-time knowledge behind runtime-dependent computations. this way we&#039;ll know, we&#039;re not leaking any pieces of information and at the same time make it portable to other languages. logically we want something similar to: </p> <pre class="code c">std<span class="sy0">::</span><span class="me2">string</span> reasonableHash<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> str<span class="br0">&#41;</span><span class="sy0">;</span> <span class="co1">// &lt;&lt;&lt; any one-way hash function should do here</span> &nbsp; bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="kw1">return</span> reasonableHash<span class="br0">&#40;</span>dhHash<span class="br0">&#41;</span> <span class="sy0">==</span> reasonableHash<span class="br0">&#40;</span>userHash<span class="br0">&#41;</span><span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> it will cost much more than any of the above implementations, but we&#039;ll be able to do it safely, using any languages. </p> <p> the above solution is however missing one more crucial point. having indexed rainbow tables and big storage, it might still be feasible to narrow down the search, based on output hashes and <a href="https://en.wikipedia.org/wiki/timing attack" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/timing attack">timing attack</a>, to find proper input-string. </p> <p> this can be however easily solved, by simply adding some extra noise to the system. consider the following implementation: </p> <pre class="code c">std<span class="sy0">::</span><span class="me2">string</span> reasonableHash<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> str<span class="br0">&#41;</span><span class="sy0">;</span> <span class="co1">// as before</span> std<span class="sy0">::</span><span class="me2">string</span> randomString<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span> <span class="co1">// PRNG can be used for that</span> &nbsp; bool checkEqual<span class="br0">&#40;</span>std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> dbHash<span class="sy0">,</span> std<span class="sy0">::</span><span class="me2">string</span> const<span class="sy0">&amp;</span> userHash<span class="br0">&#41;</span> <span class="br0">&#123;</span> <span class="kw4">const</span> <span class="kw4">auto</span> junk <span class="sy0">=</span> randomString<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span> <span class="kw1">return</span> reasonableHash<span class="br0">&#40;</span> junk <span class="sy0">+</span> dhHash <span class="br0">&#41;</span> <span class="sy0">==</span> reasonableHash<span class="br0">&#40;</span> junk <span class="sy0">+</span> userHash <span class="br0">&#41;</span><span class="sy0">;</span> <span class="br0">&#125;</span></pre> <p> using <a href="https://en.wikipedia.org/wiki/pseudo-random number generator" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/pseudo-random number generator">prng</a> we&#039;re rendering timing attacks worthless, since each time algorithm is executed, it will return completely different hash, than before and string-compare will stop at “random” points. </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;attempt #4: generic approach&quot;,&quot;hid&quot;:&quot;attempt_4generic_approach&quot;,&quot;codeblockOffset&quot;:4,&quot;secid&quot;:5,&quot;range&quot;:&quot;3737-5465&quot;} --> <h2 class="sectionedit6" id="afterword">afterword</h2> <div class="level2"> <p> it was both fun and learning experience to figure it all out. unfortunately for me, <a href="https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy" class="urlextern" title="https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy" rel="ugc nofollow">it has already been invented</a> some time ago. ;) </p> </div> <!-- EDIT{&quot;target&quot;:&quot;section&quot;,&quot;name&quot;:&quot;afterword&quot;,&quot;hid&quot;:&quot;afterword&quot;,&quot;codeblockOffset&quot;:6,&quot;secid&quot;:6,&quot;range&quot;:&quot;5466-&quot;} --> anonymous@undisclosed.example.com (Anonymous) Tue, 15 Jun 2021 20:09:18 +0000