[WEB SECURITY] quick question on password reset 'best practices'

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Jun 4 11:45:05 EDT 2008

On Jun 3, 2008, at 11:37 PM, Sebastian Schinzel wrote:

> Hi Jeremiah,
> Jeremiah Grossman wrote:
>>  However, you have to get really exact with the
>> delays, hard to do, and delays with change dynamically with load  
>> on the system. I think its possible to detect timing resolution  
>> down to 2-digit ms. The other thing that's possible is implement  
>> random timing delays in the flow. This would seem to me to be the  
>> most viable, but have not tested it personally.
> The delays shouldn't be too random. Given a large amount of probes,  
> the random values would be visible as noise around the actual delay  
> while processing.
> true_delay = MIN(all_measured_delays_per_username)
> I suggest that delays should be constant per input value, but not  
> predictable. That way, there is no noise around the actual delay  
> while processing. It is a fixed but random value. Thus, an attacker  
> does not gain any value by comparing the overall delays of  
> different user names.
> Let's assume you want to prevent harvesting of user names:
> <pseudo_code tested="false">
> if authentication_successful == False:
> 	# Get the last three characters (hex) of the combined hash of
> 	# the username and a server-side secret
> 	delay_str = md5(username + secret_string)[-3:]
> 	# Cast the random string from hex to float.
> 	# The delay should be at least 100 ms.
> 	delay = (float(int(delay_str, 16)) / 1000) + 0.1
> 	# Sleep between 0 and 4 seconds (should probably be lower)
> 	time.sleep(delay)
> </pseudo_code>
> Using this methodology: It would be interesting to know whether an  
> attacker can gain any value by measuring the delay deviation per  
> user name. I.e.: Does an existing user name have different delay  
> deviations resulting from server-side processing compared to the  
> delays of non existing user name?
> Comments?

This is clever and would be fun to test out. Would anyone on the list  
have interest in helping develop some sample web app code, placing it  
on a website, and testing it out? If the technique has merit, could  
be the new best practice for defending against timing attacks on web- 
based applications.



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list