Re: [PATCH] lib: memcmp_nta: add timing-attack secure memcmp

From: Daniel Borkmann
Date: Mon Feb 11 2013 - 14:39:31 EST

On 02/11/2013 07:37 PM, Andy Lutomirski wrote:
On 02/10/2013 02:00 PM, Daniel Borkmann wrote:
If you need to compare a password or a hash value, the timing of the
comparison function can give valuable clues to the attacker. Let's
say the password is 123456 and the attacker tries abcdef. If the
comparision function fails at the first byte without looking at the
other bytes, then the attacker can measure the difference in runtime
and deduce which byte was wrong, reducing the attack space from
exponential to polynomial. [Daniel J. Bernstein]

Therefore add memcmp_nta ({n}o {t}iming {a}ttacks) in order to avoid
such scenarios and to facilitate development by providing a generic
function for (e.g.) the crypto and networking subsystems.

Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>

I read this as "compare memory with non-temporal access". Perhaps
something like "memcpy_constant_time" would be less confusing.

You probably mean "memcmp_constant_time".

Well, this could probably be misinterpreted, that for every possible input
it will take only O(1), which of course it doesn't. It's simply that for both
results (``equals to'', ``does not equal to'') it will take the same amount of
*operations* to achieve this in order to not leak any time information of a
successful or not successful comparison, where the attacker could draw
conclusions if he might have gotten parts of the hash/key/.. right or wrong.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at