Finding the leftmost $n$ characters of the hash requires about $2^$ evaluations (which is already requiring serious effort), the attacker only gets 12 characters (60 bits) out of 32 (128 bits).in order to make any progress, the attacker will need an awful lot of measurements, a direct network connection, a low-load server, and a sound strategy (like considering the average of observed times for a given test password after some setup-dependent filtering, perhaps keeping the few lowest measurements if all the accidental masking factors are additive). The difference in timing is very small, and a variety of things will conspire to mask it: network delays, other tasks and how they left the various CPU caches, numerous clocks on the hardware.In practice the attacker trying this will face at least two hurdles: In this way we need to perform (significant) timing measurements for at most 32×16 well-chosen test passwords in order to find the whole hash. We can then find and time the rejection of other test passwords which hash starts in 5 (like test8 hashing to 5e4…) to try find the second character of the hash and so on. Assuming the string comparison of = is performed from left to right, character by character, and stopping on the first non-matching character, there can be a timing attack on the string comparison: if on average the password test1 (hashing to 5a1…) is rejected significantly slower than test0 (hashing to f6f…) and test2 (hashing to ad0…), then the true hash of the password can safely be assumed to starts in 5. There is however a conceivable timing attack, unrelated to MD5, on the code shown (which is PHP, but that holds in many other languages, with minor variants), aiming at finding the first few characters of the hash value if that's unknown (the equivalent of the constant 550b1f8802ca3d7a987fc46a2af408c3 in the code sample). That's because MD5 uses only 32-bit addition, 32-bit bitwise boolean operators, and constant rotations/shifts, which exhibit no data-dependent timing for any reasonable implementation, even written without consideration for resistance to timing attacks. There is no timing attack possible on MD5 as practically implemented on most platforms.
0 Comments
Leave a Reply. |