I've asked an ethical hacking colleague to have a look at it as well. > Lately I've been worried that Quixote (and most likely qp) are > vulnerable to a timing attack[1] against the session cookies. > Thinking about it today, I'm pretty sure the hash of the session > dictionary does not save us and the current scheme is vulnerable. > > For those who don't know, the dictionary hash tells Python the entry > in the table to check. A byte-by-byte compare is done on the result > to confirm the key matches. I imagine a successful attack would > proceed as follows: > > 1. try a sequence of session IDs and analyze the timing to > find a key to hashes to an existing session ID's table > entry > > 2. using knowledge of the dictionary hash function, generate a > sequence of session IDs that hash to the same entry, finding > each byte of the session ID based on the timing. > > Step 2 is obviously more complicated depending on the hash function > used. I'm out of my depth here, but I think using a cryptographic > hash on the session ID before storing it would solve the problem. > > Another idea would be to introduce a session password. The ID would > be used to lookup the session object and the password would be > verified using some constant function. Any other thoughts or ideas? > > BTW, it looks like the user password hash used by qp is pretty poor. > It should not be using MD5 unless a protocol requires it. Also, > using a better salt value and "stretching" would be advisable[2]. > > > Neil > > 1. http://codahale.com/a-lesson-in-timing-attacks/ > 2. http://python.ca/nas/log/200812/index.html#08_001 > _______________________________________________ > Quixote-users mailing list > Quixote-users@mems-exchange.org > http://mail.mems-exchange.org/mailman/listinfo/quixote-users > -- Robert Ladyman File-Away Limited 3 Ralston Business Centre, Newtyle, Blairgowrie Perthshire PH12 8TL SCOTLAND Tel: +44 (0) 1828 898 158 Mobile: +44 (0) 7732 771 649 http://www.file-away.co.uk ============================================ Registered Office: 32 Church Street, Newtyle, Blairgowrie Perthshire, PH12 8TZ SCOTLAND Registered in Scotland, Company Number SC222086