possible timing attack on the `noSuchUserIdentity` check leaks whether user exists
Within SRP6ServerSession
around 297 it bails out on the noSuchUserIdentity
check where their was no salt found so the user doesn't exist. The purpose is to ensure that we complete the auth flow.
The problem is that for a real user the actual bail-out on a failed login is around line 327 when it does the M1
check. This is after doing the u
, S
and M1
calculations.
This means that a failed login for a real user does a lot more computation than a failed login for a none existent user.
There is a really good paper (I need to find the url!) which says that such timing differences can be used to detect whether a given user has an account on a particular service. From a cryptography point of view it exposes information: it allows you to test "does this user exist".
The fix is to move the noSuchUserIdentity
check into the same test that throws an exception when the M1
check fails.
Comments (2)
-
reporter -
- changed status to resolved
The proposed fix looks good to me! Marking it as resolved with commit 525c6fa.
Thanks!
- Log in to comment
Found the paper https://crypto.stanford.edu/%7Edabo/papers/webtiming.pdf