diff options
| author | Martin Willi <martin@revosec.ch> | 2015-04-11 14:59:22 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2015-04-14 11:51:54 +0200 |
| commit | 39e1ddec2ed3480e0edc07bbabfacbf907dc4e3f (patch) | |
| tree | d628a5fd4c1c89dbc1fa9fe15d45d2605ad63833 /scripts/Makefile.am | |
| parent | b17f0beda805a8096de6a381a4845711a64a500e (diff) | |
| download | strongswan-39e1ddec2ed3480e0edc07bbabfacbf907dc4e3f.tar.bz2 strongswan-39e1ddec2ed3480e0edc07bbabfacbf907dc4e3f.tar.xz | |
scripts: Add a tool that tries to guess MAC/ICV values using validation times
This tool shows that it is trivial to re-construct the value memcmp() compares
against by just measuring the time the non-time-constant memcmp() requires to
fail.
It also shows that even when running without any network latencies it gets
very difficult to reconstruct MAC/ICV values, as the time variances due to the
crypto routines are large enough that it gets difficult to measure the time
that memcmp() actually requires after computing the MAC.
However, the faster/time constant an algorithm is, the more likely is a
successful attack. When using AES-NI, it is possible to reconstruct (parts of)
a valid MAC with this tool, for example with AES-GCM.
While this is all theoretical, and way more difficult to exploit with network
jitter, it nonetheless shows that we should replace any use of memcmp/memeq()
with a constant-time alternative in all sensitive places.
Diffstat (limited to 'scripts/Makefile.am')
| -rw-r--r-- | scripts/Makefile.am | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/scripts/Makefile.am b/scripts/Makefile.am index abc6d75dd..c5155efc2 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -5,7 +5,7 @@ AM_CPPFLAGS = \ noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \ thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \ - dnssec malloc_speed aes-test settings-test + dnssec malloc_speed aes-test settings-test timeattack if USE_TLS noinst_PROGRAMS += tls_test @@ -28,6 +28,7 @@ hash_burn_SOURCES = hash_burn.c malloc_speed_SOURCES = malloc_speed.c fetch_SOURCES = fetch.c dnssec_SOURCES = dnssec.c +timeattack_SOURCES = timeattack.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -41,6 +42,7 @@ fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid.o : $(top_builddir)/config.status |