Constant-Time password compare



  • Hi,

    I'm not sure what the general security guidelines for the DuetWifi & RepRapFirmware are, but I noticed that the HTTP/FTP/Telnet password comparison seems to leak timing information. Now, assuming the password should be a safe security protection against unwanted logins & interaction, I would recommend implementing a constant-time password strcmp function, see https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time.

    The current implementation uses a loop with early exit, see https://github.com/dc42/RepRapFirmware/blob/dev/src/RepRap.cpp#L1656 and https://github.com/dc42/RepRapFirmware/blob/e2f506e855785d0f0d9786f1285deebf1d51bad8/src/RepRapFirmware.cpp#L217-L230.

    @DC42
    I'm interested to hear your thoughts on this, maybe I'm completely wrong and this doesn't apply here - or attackers can circumvent password-based authentication by other means. However, I feel like we should at least do our best and make authentication and security it as strong as possible given the nature of this project.

    One last question, coming back to the general security guidelines: Would you feel comfortable putting a DuetWifi on the public Internet with ONLY the password protection (M551) and TLS to hide it, or would you generally recommend against it?


  • administrators

    The Duet WiFi does not support TLS yet (it may never do, because of limited CPU power) so the only way I would put one on the public internet is via a VPN. For the next generation Duet we are looking at much stronger security.

    I take your point about using a constant-time string compare, however the variation in the time depending on how much of the password matches is likely to be no more than 1us, which is probably not significant compared with the jitter in the scheduling time from the password arriving to when it gets compared, and also the jitter in the network transport time.



  • Yes, I'm currently terminating TLS on a regular server and then reverse-proxying the traffic to the DuetWifi.
    IMHO the lack of TLS on the Duets itself is fine - I would not want to put such complicated/complex tasks as ASN.1 parsing on my printer anyway 😄

    Just to give a frame of reference, 100ns on the local network, and as low as 15us on the public internet are enough to leak information, according to https://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf.


  • administrators

    Constant time password comparison is now implemented and will be released in 1.21RC2.


Log in to reply