Collaborate Disseminate
I am using graphql and my login function is resolved using a promise. The username is an email address.
The steps in the logic are the following: –
Validate CRSF token else return generic response ("Invalid username or password"… Continue reading Preventing authentication (login) timing attacks in a nodejs application
From other password hashing algorithms, I know that when a user tries to log in, and the account does not exist in the first place, it’s best practice to still hash the provided password, so as not to leak information about whether the use… Continue reading argon2id: Do I have to protect against timing attacks on login?
I’m currently using PostgreSQL with the pgcrypto extension to store and verify user passwords. When a user logs in, I compare the entered password with the stored hash using the following query:
SELECT id FROM users
WHERE email = ‘example… Continue reading Is using `crypt` in PostgreSQL for password comparison secure against timing attacks?
About timing my question is:
How can attack know the time of which certain instructions are performed by the victim?
And about the cache, how can attacker know which cache line is being accessed by the victim? Is this doable in "norma… Continue reading How can a timing/cache side-channel attack be performed? How can attack know the time of which certain instructions are performed by the victim?
I’m new to snort. I’m trying to set up rules in snort to detect the presence of covert timing channels. Ideally, I would like to use pre-made rules like the snort community rules.
So far, I’ve found the snort community ruleset and the emer… Continue reading what snort rules can detect covert channels?
I’m using Rust to create a program to attempt a timing attack on a network resource (a printer I lost a password to). I’m wired directly into it. What Linux environmental constraints can I optimize to minimize noise and variability?
Curren… Continue reading What optimization can be made for nanosecond IO and CPU stability when performing a timing attack?
Context
I’ve been recently looking at UUIDs (mostly v4) and their uses to maybe start using them in some of my apps. I started asking myself some question about security as one does. Then I fell on the Is it safe to rely on UUIDs for priva… Continue reading Are webservers’s file serving safe against timing attacks?
I am using bcrypt.js for basic login. I have found that the below code runs noticeably quicker when no user is found, since it exits immediately, and no check is done on the hash. This could give an attacker insight into whether a username… Continue reading Timing Attack using bcrypt.js
Premise: When looking up a secret value in a DB (API key, token, maybe username) it’s near-impossible to guarantee that the lookup doesn’t leak something about the similarity of the candidate value to an existing value. So it makes sense t… Continue reading Constant-time processing only for failures okay?
Conditional code considered cryptographically counterproductive. Continue reading Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug