Replies: 1 comment 1 reply
-
This is great, very thoughtful and I appreciate your attention to detail. For example 1 above, I think you are quite right, unrolling the loop makes sense here. I think this particular example is benign, but it would be even more benign if it's unrolled. Example 2 is a bit more tricky. Because the length checks in the branch will always be evaluated, it's not susceptible to any timing attacks because the timing only changes for invalid (and therefore irrelevant) keys. In other words, under normal circumstances, the number of instructions executed will always be the same which doesn't leak any information about the key itself other than the fact that it's valid. The problem with your solution-which is very clever by the way–is twofold:
It's worth taking a look at the libsodium implementation here for reference (which is quite well vetted): You'll notice lines 43-47 contain the same code. I'm not against trying to harden this up, it's not a bad idea to refactor if possible by skipping the check when we call the function here: Lines 132 to 144 in 49e01a6 And then moving the inner part of |
Beta Was this translation helpful? Give feedback.
-
I wasn't sure how to title this in a more inquisitive way, but I was reviewing some of the implementation, and I was wondering if there are some places where some potential branching should/could be removed.
I have a couple of examples that I wanted to go through to see if these concerns are valid before putting anything through valgrind to do any type of deeper analysis.
Example 1
dryoc/src/blake2b/blake2b_soft.rs
Lines 86 to 88 in 49e01a6
Since the for loop is used over a constant range, would it make more sense to unroll it to remove the compiler from the equation?
Example 2
https://github.com/brndnmtthws/dryoc/blob/49e01a6ca6991ede91da0f4151ab23ff82530f2b/src/classic/crypto_kdf.rs#L52C1-L65C6
Should this be refactored to remove the if statement? This one is a bit trickier, but it would mean you use a trait with a constant generic to apply the subkey check and change the parameters to accept only sized arrays instead of a slice.
So something like:
which would fail to compile with this,
Let me know if I am off base at all, but for context I was looking at the KDF code and I was thinking about how someone might want to run the subkey generation several times, and so that got me thinking about side-channel attacks and finally reviewing the code to check for any branching code.
Just to re-iterate I haven't used any analysis tools yet so I'm not implying any issues currently exist, I'm mainly inquiring to explore and learn.
Beta Was this translation helpful? Give feedback.
All reactions