• Tags
  • Documentation
  • Order
  • Register
  • Login
Duet3D Logo Duet3D
  • Tags
  • Documentation
  • Order
  • Register
  • Login

Constant-Time password compare

Scheduled Pinned Locked Moved
Firmware developers
2
4
736
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • undefined
    resam
    last edited by 22 Jan 2018, 13:13

    Hi,

    I'm not sure what the general security guidelines for the DuetWifi & RepRapFirmware are, but I noticed that the HTTP/FTP/Telnet password comparison seems to leak timing information. Now, assuming the password should be a safe security protection against unwanted logins & interaction, I would recommend implementing a constant-time password strcmp function, see https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time.

    The current implementation uses a loop with early exit, see https://github.com/dc42/RepRapFirmware/blob/dev/src/RepRap.cpp#L1656 and https://github.com/dc42/RepRapFirmware/blob/e2f506e855785d0f0d9786f1285deebf1d51bad8/src/RepRapFirmware.cpp#L217-L230.

    @DC42
    I'm interested to hear your thoughts on this, maybe I'm completely wrong and this doesn't apply here - or attackers can circumvent password-based authentication by other means. However, I feel like we should at least do our best and make authentication and security it as strong as possible given the nature of this project.

    One last question, coming back to the general security guidelines: Would you feel comfortable putting a DuetWifi on the public Internet with ONLY the password protection (M551) and TLS to hide it, or would you generally recommend against it?

    1 Reply Last reply Reply Quote 1
    • undefined
      dc42 administrators
      last edited by 22 Jan 2018, 15:29

      The Duet WiFi does not support TLS yet (it may never do, because of limited CPU power) so the only way I would put one on the public internet is via a VPN. For the next generation Duet we are looking at much stronger security.

      I take your point about using a constant-time string compare, however the variation in the time depending on how much of the password matches is likely to be no more than 1us, which is probably not significant compared with the jitter in the scheduling time from the password arriving to when it gets compared, and also the jitter in the network transport time.

      Duet WiFi hardware designer and firmware engineer
      Please do not ask me for Duet support via PM or email, use the forum
      http://www.escher3d.com, https://miscsolutions.wordpress.com

      1 Reply Last reply Reply Quote 0
      • undefined
        resam
        last edited by 22 Jan 2018, 15:43

        Yes, I'm currently terminating TLS on a regular server and then reverse-proxying the traffic to the DuetWifi.
        IMHO the lack of TLS on the Duets itself is fine - I would not want to put such complicated/complex tasks as ASN.1 parsing on my printer anyway 😄

        Just to give a frame of reference, 100ns on the local network, and as low as 15us on the public internet are enough to leak information, according to https://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf.

        1 Reply Last reply Reply Quote 1
        • undefined
          dc42 administrators
          last edited by 30 Jan 2018, 13:04

          Constant time password comparison is now implemented and will be released in 1.21RC2.

          Duet WiFi hardware designer and firmware engineer
          Please do not ask me for Duet support via PM or email, use the forum
          http://www.escher3d.com, https://miscsolutions.wordpress.com

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Unless otherwise noted, all forum content is licensed under CC-BY-SA