Skip to content

Create timing_attack.py #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ericwb wants to merge 1 commit into
base: main
Choose a base branch
from

Create timing_attack.py

6ea50c0
Select commit
Loading
Failed to load commit list.
Open

Create timing_attack.py #9

Create timing_attack.py
6ea50c0
Select commit
Loading
Failed to load commit list.
Precaution / Precaution Unsubscribed failed Mar 17, 2025 in 1s

Found 1 failure, 0 warnings, and 0 notices.

The check found 1 failure, 0 warnings, and 0 notices. Review the documentation link on each issue to determine how to resolve. Alternatively, false positives can be suppressed. See documentation for details.

Details

PY005: Observable Timing Discrepancy

Expand for further details

Do not use Python's == operator to compare HMAC digests. The == operator is
not designed to be used for cryptographic comparisons, and it can be
vulnerable to timing attacks. Instead, use the hmac.compare_digest() function
to compare HMAC digests.

The == operator works by comparing the length and contents of two objects.
However, this can be a problem for HMAC digests, because the length of an
HMAC digest is not necessarily unique. For example, two different messages
with the same key will have the same HMAC digest.

A timing attack is a type of attack that exploits the time it takes to
execute a piece of code. In the case of HMAC digests, a timing attack could
be used to determine whether two messages have the same HMAC digest. This
could be used to break the security of an HMAC-protected system.

The hmac.compare_digest() function is designed to be used for cryptographic
comparisons. It works by comparing the binary representations of two HMAC
digests. This makes it more resistant to timing attacks.

Example

import hmac


received_digest = (
    b"\xe2\x93\x08\x19T8\xdc\x80\xef\x87\x90m\x1f\x9d\xf7\xf2"
    "\xf5\x10>\xdbf\xa2\xaf\xf7x\xcdX\xdf"
)

key = b"my-super-duper-secret-key-string"
password = b"pass"
digest = hmac.digest(key, password, digest="sha224")

print(digest == received_digest)

??? example "Example Output"
> precli tests/unit/rules/python/stdlib/hmac/examples/hmac_timing_attack.py ⛔️ Error on line 13 in tests/unit/rules/python/stdlib/hmac/examples/hmac_timing_attack.py PY005: Observable Timing Discrepancy Comparing digests with the '==' operator is vulnerable to timing attacks.

Remediation

The recommendation is to replace the == operator with the function
compare_digest.

import hmac


received_digest = (
    b"\xe2\x93\x08\x19T8\xdc\x80\xef\x87\x90m\x1f\x9d\xf7\xf2"
    "\xf5\x10>\xdbf\xa2\xaf\xf7x\xcdX\xdf"
)

key = b"my-secret-key"
password = b"pass"
digest = hmac.digest(key, password, digest="sha224")

print(hmac.compare_digest(digest, received_digest))

Default Configuration

enabled = true
level = "error"

See also

!!! info
- hmac — Keyed-Hashing for Message Authentication
- CWE-208: Observable Timing Discrepancy

New in version 0.1.4

Precaution v0.7.9

Annotations

Check failure on line 13 in python/stdlib/timing_attack.py

See this annotation in the file changed.

@precaution precaution / Precaution Unsubscribed

PY005: Observable Timing Discrepancy 

Comparing digests with the '==' operator is vulnerable to timing
attacks.
View more details on Precaution