[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] quick question on password reset 'best practices'

From: Sebastian Schinzel <Sebastian.Schinzel@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] quick question on password reset 'best practices'
Date: Wed, 04 Jun 2008 08:37:00 +0200

Hi Jeremiah,

Jeremiah Grossman wrote:

However, you have to get really exact with the delays, hard to do, and delays with change dynamically with load on the system. I think its possible to detect timing resolution down to 2-digit ms. The other thing that's possible is implement random timing delays in the flow. This would seem to me to be the most viable, but have not tested it personally.

The delays shouldn't be too random. Given a large amount of probes, the random values would be visible as noise around the actual delay while processing.

true_delay = MIN(all_measured_delays_per_username)

I suggest that delays should be constant per input value, but not predictable. That way, there is no noise around the actual delay while processing. It is a fixed but random value. Thus, an attacker does not gain any value by comparing the overall delays of different user names.

Let's assume you want to prevent harvesting of user names:

<pseudo_code tested="false">
if authentication_successful == False:
	
	# Get the last three characters (hex) of the combined hash of
	# the username and a server-side secret
	delay_str = md5(username + secret_string)[-3:]
	
	# Cast the random string from hex to float.
	# The delay should be at least 100 ms.
	delay = (float(int(delay_str, 16)) / 1000) + 0.1
	
	# Sleep between 0 and 4 seconds (should probably be lower)
	time.sleep(delay)
</pseudo_code>

Using this methodology: It would be interesting to know whether an attacker can gain any value by measuring the delay deviation per user name. I.e.: Does an existing user name have different delay deviations resulting from server-side processing compared to the delays of non existing user name?

Comments?

Cheers,
Sebastian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] quick question on password reset 'best practices'
  - From: Jeremiah Grossman

References:
- [WEB SECURITY] quick question on password reset 'best practices'
  - From: Joe White
- Re: [WEB SECURITY] quick question on password reset 'best practices'
  - From: Jeremiah Grossman
- RE: [WEB SECURITY] quick question on password reset 'best practices'
  - From: White, Dain P
- Re: [WEB SECURITY] quick question on password reset 'best practices'
  - From: Jeremiah Grossman

Prev by Date: Re: [WEB SECURITY] quick question on password reset 'best practices'
Next by Date: Re: [WEB SECURITY] quick question on password reset 'best practices'
Previous by thread: Re: [WEB SECURITY] quick question on password reset 'best practices'
Next by thread: Re: [WEB SECURITY] quick question on password reset 'best practices'
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site