Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 24 Sep 2016 14:03:43 +0300
From: Alex Smirnoff <ark@...ex.net>
To: passwords@...ts.openwall.com
Subject: Re: Blog Post about Password Resets

Sorry, I did not get the idea.

If you use the whole token's hash as both the selector and verifier, wouldn't
it be easier just to make a verification function that works at a constant time?

(and aren't timing attacks already impactical even if you do not,
because the attacker cannot manipulate arbitray bytes in the hash?)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ