[kwlug-disc] Postgresql hash index as a mitigation of timing attack
Khalid Baheyeldin
kb at 2bits.com
Wed Jun 6 15:46:42 EDT 2018
On Wed, Jun 6, 2018 at 2:52 PM, Mikalai Birukou via kwlug-disc <
kwlug-disc at kwlug.org> wrote:
>
> Sometimes we store secret session ids in db, and we use these for
> authentication. Usually there is query that get respective record,
> searching a table for a given by user session id.
> Usual `WHERE` clause uses the most fast comparison, which run timing is
> dependent on input values. This can be used as a base for an attack with
> session id guessing via timing.
>
Are the session IDs sequential? If so, then they should not (ideally) be so.
For example, in Drupal, when it wants to create a session, it calls PHP's
session_id() with a function that basically gets some random bytes, does a
base64 encode on them, and uses that as the session key.
The random bytes are from a variety of sources: if OpenSSL is installed,
then pseudo random bytes from it are requests, otherwise, /dev/urandom,
process ID, microtime(), ....etc.
So, nothing sequential gets used, or stored.
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180606/ae327dba/attachment.htm>
More information about the kwlug-disc
mailing list