Closed
Bug 1456659
Opened 6 years ago
Closed 5 years ago
Sync should use a constant time comparison for the HMAC verification.
Categories
(Firefox :: Sync, enhancement, P2)
Firefox
Sync
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: tcsc, Assigned: lina)
References
Details
Attachments
(1 file)
Specifically, this check https://searchfox.org/mozilla-central/rev/36dec78aecc40539ecc8d78e91612e38810f963c/services/sync/modules/record.js#161 should be done using a constant time comparison. From IRC: <rfkelly> if we have a good constant-time comparison in the desktop client, I think we should change that code to use it from a hygiene perspective <rfkelly> if the client has some predictable behaviour that it takes in response to a bad hmac, you can imagine a malicious server handing it known bad BSOs to decrypt, observing the clients behaviour in response, and slowly trying to recover the key through timing info <rfkelly> it seems extraordinarily improbably in practice, but if it doesn't cost us much to prevent it, well... That said, I have no idea where to find such a function. It's not part of WebCrypto, and AFAICT before we used that we called into NSS via jsctypes D:
|
||
Comment 1•6 years ago
|
||
To say a few more words, I'm wondering whether there's a way for a server to do something like: * Feed the client bad BSOs in a way that triggers a retry loop, which would allow it to harvest HMAC timing data from the clients retry requests * Use the HMAC timing leak to forge a /crypto/keys record with a valid HMAC * Feed the forged /crypto/keys record to the client, causing it to start using encryption keys known to the server That doesn't seem particular plausible, but I'm not prepared to rule it out entirely.
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 3•6 years ago
|
||
Comment on attachment 8971473 [details] Bug 1456659 - Use `crypto.subtle.verify` to verify Sync record HMACs. f?tcsc I played around with this a bit on the train. `crypto.subtle.verify` uses a constant-time comparison (https://searchfox.org/mozilla-central/rev/78dbe34925f04975f16cb9a5d4938be714d41897/dom/crypto/WebCryptoTask.cpp#1097-1100), and switching us over doesn't seem too cumbersome...the hardest part is figuring out the different encodings and types of the arguments. Array buffers? Binary strings? Base64-encoded strings? Hex-encoded strings, for extension storage? Also, I don't think many (any?) of our xpcshell tests use real crypto, so this will need a full TPS run. Try is suspiciously green: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f016945d5e88d20e14f3e533a0c0c7f62d4afff6
Attachment #8971473 -
Flags: feedback?(tchiovoloni)
|
Reporter | |
Comment 4•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8971473 [details] Bug 1456659 - Use `crypto.subtle.verify` to verify Sync record HMACs. f?tcsc https://reviewboard.mozilla.org/r/240216/#review246486 LGTM, I raised some concerns in IRC but they turned out to be unfounded.
|
|
Reporter | |
Updated•6 years ago
|
Attachment #8971473 -
Flags: feedback?(tchiovoloni) → feedback+
|
||
Updated•6 years ago
|
Assignee: nobody → kit
Priority: -- → P2
|
|
Reporter | |
Comment 5•6 years ago
|
||
What is the behavior here if the HMAC string is the wrong size?
|
|
Assignee | |
Comment 6•5 years ago
|
||
I'm not actively working on this bug, and verify_hmac_string in our Rust adapter does a constant-time comparison, so I think we can WONTFIX unless there's a compelling reason to keep it open.
(In reply to Thom Chiovoloni [:tcsc] from comment #5)
What is the behavior here if the HMAC string is the wrong size?
Web Crypto won't call into NSS at all, and will return false. I guess that leaks timing based on the string length, but seems like that's acceptable, based on https://bugzilla.mozilla.org/show_bug.cgi?id=998802#c12.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•