Xjyuk

When do you stop "pushing" a book?

Why use steam instead of just hot air?

cropping a message using array splits

Improving Sati-Sampajañña (situative wisdom)

Series that evaluates to different values upon changing order of summation

spatiotemporal regression

When quoting someone, is it proper to change "gotta" to "got to" without modifying the rest of the quote?

Why are parallelograms defined as quadrilaterals? What term would encompass polygons with greater than two parallel pairs?

Why is it wrong to *implement* myself a known, published, widely believed to be secure crypto algorithm?

What is the name of meteoroids which hit Moon, Mars, or pretty much anything that isn’t the Earth?

Is it a Munchausen Number?

How to make a language evolve quickly?

Why does it take longer to fly from London to Xi'an than to Beijing

Was the Highlands Ranch shooting the 115th mass shooting in the US in 2019

date -d 'previous Monday" to display the preceding Monday

Is a vertical stabiliser needed for straight line flight in a glider?

Windows OS quantum vs. SQL OS Quantum

Can the president of the United States be guilty of insider trading?

How to handle DM constantly stealing everything from sleeping characters?

Why is PerfectForwardSecrecy considered OK, when it has same defects as salt-less password hashing?

Exception propagation: When to catch exceptions?

Should I pay on student loans in deferment or continue to snowball other debts?

Cryptography and elliptic curves

How is CoreiX like Corei5, i7 is related to Haswell, Ivy Bridge?

Why should password hash verification be time constant?

What encryption hash function I should use for password securing?Why we use GPG signatures for file verification instead of hash values?Why should I hash passwords?Does bcrypt compare the hashes in “length-constant” time?Length-constant password comparison in scrypt?Should email verification be followed by password-based login? Why?Potential collision with hash passwordWhy is hashing a password with multiple hash functions useless?Why should password authentication require sending the password?Why should we protect access to password hashes?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

23

2

In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method

 /// <remarks>Implementations of this method should be time consistent.</remarks>

And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.

// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)

At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.

However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.

What is the purpose of ensuring a constant time hash verification?

passwords hash

share|improve this question

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Is that function used for anything other than comparing hashes?
  
  – forest
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  no it is only used for comparing hashes
  
  – trampster
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
  
  – JimmyJames
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare any byte[]. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!
  
  – Carl Walsh
  1 hour ago
  

  
  
  
  

add a comment | 

23

2

In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method

 /// <remarks>Implementations of this method should be time consistent.</remarks>

And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.

// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)

At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.

However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.

What is the purpose of ensuring a constant time hash verification?

passwords hash

share|improve this question

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Is that function used for anything other than comparing hashes?
  
  – forest
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  no it is only used for comparing hashes
  
  – trampster
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  On a side(-attack) note this code assumes that byte comparisons are constant time which isn't guaranteed. It's good that it probably doesn't matter.
  
  – JimmyJames
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  For better (or worse), code gets copied around. In the current AspNetCore repo BinaryBlob there is a near-identical method that can be used to compare any byte[]. Just because the code you write isn't used for something right now doesn't mean it won't be misused later!
  
  – Carl Walsh
  1 hour ago
  

  
  
  
  

add a comment | 

In the asp.net core PasswordHasher type there is is remark on the VerifyHashedPassword method

 /// <remarks>Implementations of this method should be time consistent.</remarks>

And then to compare the hashes it uses code that is deliberately not optimised and written not do early exits in the loop.

// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)

At first I thought that without this timing could be used to determine how close the hash was, if it takes longer then more of the hash is the same.

However this doesn't make sense because the hash has gone through 1000 iterations of SHA256 at this point. So any change in the password would produce a completely different hash, and knowing that your password produces almost the correct hash does not help you find the correct one.

What is the purpose of ensuring a constant time hash verification?

passwords hash

share|improve this question

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

 /// <remarks>Implementations of this method should be time consistent.</remarks>

// Compares two byte arrays for equality. The method is specifically written so that the loop is not optimized.
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private static bool ByteArraysEqual(byte[] a, byte[] b)

share|improve this question

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 21 mins ago

forest

41.4k18133149

edited 21 mins ago

forest

41.4k18133149

asked 23 hours ago

trampstertrampster

21615

New contributor

trampster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 23 hours ago

trampstertrampster

21615

1 Answer
1

active

oldest

votes

35

Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.

More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.

share|improve this answer

edited 22 hours ago

answered 22 hours ago

forestforest

41.4k18133149

• 
  
  
  

  
  30
  

  
  
  
  
  
  

  
  
  "Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
  
  – Martin Bonner
  15 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

trampster is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209807%2fwhy-should-password-hash-verification-be-time-constant%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

35

Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.

More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.

share|improve this answer

edited 22 hours ago

answered 22 hours ago

forestforest

41.4k18133149

• 
  
  
  

  
  30
  

  
  
  
  
  
  

  
  
  "Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
  
  – Martin Bonner
  15 hours ago
  

  
  
  
  

add a comment | 

35

Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.

More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.

share|improve this answer

edited 22 hours ago

answered 22 hours ago

forestforest

41.4k18133149

• 
  
  
  

  
  30
  

  
  
  
  
  
  

  
  
  "Non-constant time code in a cryptographic library makes auditors anxious." - this! If the code is constant time, nobody has to fret about that side channel. If it not, you have to write a comment (or design note) explaining why it's not a problem.
  
  – Martin Bonner
  15 hours ago
  

  
  
  
  

add a comment | 

Assuming neither of the hashes are secret and the hashes are secure (which SHA-256 is), there is no reason to check the hash in constant time. In fact, comparing hashes is one of the well-known alternatives to verifying passwords within a constant time routine. I can't say what reason the developers would give for doing this, but it is not technically necessary to make it constant time. Most likely, they were just being cautious. Non-constant time code in a cryptographic library makes auditors anxious.

More information about the theoretical weaknesses is discussed in an answer on the Cryptography site. It explains how, with a significant amount of queries, it can be possible to discover the first several bytes of the hash, which makes it possible to perform an offline computation to discard candidate passwords that obviously wouldn't match (their hash doesn't match the first few discovered bytes of the real hash) and avoid sending them to the password checking service, and why this is unlikely to be a real issue.

share|improve this answer

edited 22 hours ago

answered 22 hours ago

forestforest

41.4k18133149

share|improve this answer

edited 22 hours ago

answered 22 hours ago

forestforest

41.4k18133149

answered 22 hours ago

forestforest

41.4k18133149

answered 22 hours ago

forestforest

41.4k18133149