Skip to content
Snippets Groups Projects
Verified Commit 78175b88 authored by Marco De Donno's avatar Marco De Donno
Browse files

Limit the data extraction based upon execution time

This commit will add a time waste function if the username is not
present in the database. This is done to prevent the data extraction, in
this case the presence or not, of a username based upon the execution
time for the login process.

In the configuration file, the 'fake_hash' variable is computed with the
input data "fake_data" and the salt "fake_salt" to be transparent about
the data used as input for the hashing function.

The comparison with the 'verify()' function is a boolean (always True in
this case), and is not used in any useful way in the login process.

This waste of time is done even if the risk factor is very small (not to
say inexistent).

The location of this function call is designed to be only present if the
username provided as input does not exists in the database. This is done
to not impact real users.
parent 4f32f72f
No related branches found
No related tags found
No related merge requests found
...@@ -10,6 +10,7 @@ import gnupg ...@@ -10,6 +10,7 @@ import gnupg
import redis import redis
import random import random
import string import string
import utils.hash
baseurl = os.environ.get( "BASEURL", "" ) baseurl = os.environ.get( "BASEURL", "" )
envtype = os.environ.get( "ENVTYPE", "" ) envtype = os.environ.get( "ENVTYPE", "" )
...@@ -37,6 +38,9 @@ SESSION_REFRESH_EACH_REQUEST = True ...@@ -37,6 +38,9 @@ SESSION_REFRESH_EACH_REQUEST = True
PERMANENT_SESSION_LIFETIME = 2 * 60 * 60 PERMANENT_SESSION_LIFETIME = 2 * 60 * 60
fake_hash = utils.hash.pbkdf2( word = "fake_data", salt = "fake_salt", iterations = 20000, hash_name = "sha512" ).hash()
fake_hash_stored = utils.hash.pbkdf2( fake_hash, "A" * PASSWORD_SALT_LENGTH, PASSWORD_NB_ITERATIONS ).hash()
redis_url = os.environ.get( "REDIS_URL", "redis://redis:6379/0" ) redis_url = os.environ.get( "REDIS_URL", "redis://redis:6379/0" )
SESSION_REDIS = redis.from_url( redis_url ) SESSION_REDIS = redis.from_url( redis_url )
......
...@@ -153,6 +153,13 @@ def do_login(): ...@@ -153,6 +153,13 @@ def do_login():
if user == None: if user == None:
current_app.logger.error( "Username not found in the database" ) current_app.logger.error( "Username not found in the database" )
# WASTING TIME.
# This is done to limit data extraction for exitsing (or not)
# username based upon the execution time of the login function
# (time-based side channel attack).
# FOR SECURITY REASONS, DO NOT REMOVE THIS LINE
utils.hash.pbkdf2( config.fake_hash, config.fake_hash_stored ).verify()
trigger_rate_limit() trigger_rate_limit()
session_clear_and_prepare() session_clear_and_prepare()
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment