possible timing attack on the `noSuchUserIdentity` check leaks whether user exists

Issue #19 resolved
simon created an issue

Within SRP6ServerSession around 297 it bails out on the noSuchUserIdentity check where their was no salt found so the user doesn't exist. The purpose is to ensure that we complete the auth flow.

The problem is that for a real user the actual bail-out on a failed login is around line 327 when it does the M1 check. This is after doing the u, S and M1 calculations.

This means that a failed login for a real user does a lot more computation than a failed login for a none existent user.

There is a really good paper (I need to find the url!) which says that such timing differences can be used to detect whether a given user has an account on a particular service. From a cryptography point of view it exposes information: it allows you to test "does this user exist".

The fix is to move the noSuchUserIdentity check into the same test that throws an exception when the M1 check fails.

Comments (2)

  1. Log in to comment