Why should password hash verification be time constant?What encryption hash function I should use for password securing?Why we use GPG signatures for file verification instead of hash values?Why should I hash passwords?Does bcrypt compare the hashes in “length-constant” time?Length-constant password comparison in scrypt?Should email verification be followed by password-based login? Why?Potential collision with hash passwordWhy is hashing a password with multiple hash functions useless?Why should password authentication require sending the password?Why should we protect access to password hashes?
How does Dreadhorde Arcanist interact with split cards?
How to teach an undergraduate course without having taken that course formally before?
One word for 'the thing that attracts me'?
Is there an idiom that means that you are in a very strong negotiation position in a negotiation?
Visual Block Mode edit with sequential number
I want to ask company flying me out for office tour if I can bring my fiance
Who wrote “A writer only begins a book. A reader finishes it.”
Why is the Eisenstein ideal paper so great?
How to write numbers and percentage?
Is a world with one country feeding everyone possible?
Are runways booked by airlines to land their planes?
What did the 'turbo' button actually do?
Count all vowels in string
How can I get a refund from a seller who only accepts Zelle?
Are there historical examples of audiences drawn to a work that was "so bad it's good"?
Why did other houses not demand this?
Is it normal to "extract a paper" from a master thesis?
Possibility of faking someone's public key
resolution bandwidth
Knight's Tour on a 7x7 Board starting from D5
Python script to extract text from PDF with images
Alexandrov's generalization of Cauchy's rigidity theorem
Status of proof by contradiction and excluded middle throughout the history of mathematics?
Can a UK national work as a paid shop assistant in the USA?
Why should password hash verification be time constant?
What encryption hash function I should use for password securing?Why we use GPG signatures for file verification instead of hash values?Why should I hash passwords?Does bcrypt compare the hashes in “length-constant” time?Length-constant password comparison in scrypt?Should email verification be followed by password-based login? Why?Potential collision with hash passwordWhy is hashing a password with multiple hash functions useless?Why should password authentication require sending the password?Why should we protect access to password hashes?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method
/// <remarks>Implementations of this method should be time consistent.</remarks>
And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)
if (a == null && b == null)
return true;
if (a == null
At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.
However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.
What is the purpose of ensuring a constant time hash verification?
passwords hash
add a comment |
In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method
/// <remarks>Implementations of this method should be time consistent.</remarks>
And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)
if (a == null && b == null)
return true;
if (a == null
At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.
However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.
What is the purpose of ensuring a constant time hash verification?
passwords hash
3
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
no it is only used for comparing hashes
– trampster
May 9 at 2:14
1
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare anybyte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!
– Carl Walsh
May 9 at 23:35
You can usevarName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, returnvarName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value intovarName
, the set bits of the value|=
'd intovarName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)
– Future Security
May 10 at 15:40
add a comment |
In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method
/// <remarks>Implementations of this method should be time consistent.</remarks>
And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)
if (a == null && b == null)
return true;
if (a == null
At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.
However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.
What is the purpose of ensuring a constant time hash verification?
passwords hash
In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method
/// <remarks>Implementations of this method should be time consistent.</remarks>
And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.
// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)
if (a == null && b == null)
return true;
if (a == null
At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.
However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.
What is the purpose of ensuring a constant time hash verification?
passwords hash
passwords hash
edited May 10 at 0:49
forest
42.3k18136152
42.3k18136152
asked May 9 at 2:11
trampstertrampster
24625
24625
3
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
no it is only used for comparing hashes
– trampster
May 9 at 2:14
1
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare anybyte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!
– Carl Walsh
May 9 at 23:35
You can usevarName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, returnvarName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value intovarName
, the set bits of the value|=
'd intovarName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)
– Future Security
May 10 at 15:40
add a comment |
3
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
no it is only used for comparing hashes
– trampster
May 9 at 2:14
1
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare anybyte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!
– Carl Walsh
May 9 at 23:35
You can usevarName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, returnvarName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value intovarName
, the set bits of the value|=
'd intovarName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)
– Future Security
May 10 at 15:40
3
3
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
no it is only used for comparing hashes
– trampster
May 9 at 2:14
no it is only used for comparing hashes
– trampster
May 9 at 2:14
1
1
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare any
byte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!– Carl Walsh
May 9 at 23:35
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare any
byte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!– Carl Walsh
May 9 at 23:35
You can use
varName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, return varName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value into varName
, the set bits of the value |=
'd into varName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)– Future Security
May 10 at 15:40
You can use
varName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, return varName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value into varName
, the set bits of the value |=
'd into varName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)– Future Security
May 10 at 15:40
add a comment |
1 Answer
1
active
oldest
votes
Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.
More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209807%2fwhy-should-password-hash-verification-be-time-constant%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.
More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
add a comment |
Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.
More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
add a comment |
Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.
More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.
Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.
More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.
edited May 9 at 2:27
answered May 9 at 2:17
forestforest
42.3k18136152
42.3k18136152
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
add a comment |
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
36
36
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
"Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
– Martin Bonner
May 9 at 9:18
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209807%2fwhy-should-password-hash-verification-be-time-constant%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Is that function used for anything other than comparing hashes?
– forest
May 9 at 2:12
no it is only used for comparing hashes
– trampster
May 9 at 2:14
1
On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
– JimmyJames
May 9 at 16:06
For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare any
byte[]
. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!– Carl Walsh
May 9 at 23:35
You can use
varName |= a[i] ^ b[i];
in the loop instead. Initialize the variable to zero. Finally, returnvarName == 0
. The XOR of two values is zero if and only if the values are the same. Once you OR a non-zero value intovarName
, the set bits of the value|=
'd intovarName
will stay set. Bitwise operations on values of the native machine word size are constant time, so the modified function will be constant time too. (Assuming the compiler doesn't, as an optimization, insert an early exit into the loop.)– Future Security
May 10 at 15:40