"The decompiler Bosnian Bill and I made"

this comment has me dying

Not sure whats holding us back

Yeah, it kinda is. Instead of playing on the server's (or locksmith's) terms, you play by your own rules. By tensioning the core, or testing the password repeatedly, you can probe one character at a time and test for timing, or the general feel of the pin in its chamber. With this method, you can turn a brute-force 26^n (n= length of password) possibility problem into a 26*n possibility problem, by finding one pin or character at a time.

Ha!

I made it as cinematic as I know how!

It’s just like in the movies.

@@mCoding side channel attacks always look amazing (if they work)

Reminded me of the ATM hack in Terminator 2.

You have no taste

Indeed! For this reason, in a real timing attack, you would have to combine with an additional attack to cause carefully curated lag on the server, you can take advantage of cache misses in a big way.

Furthermore, passwords are usually hashed first - making timing attacks even harder

@@DevLPful thats true, though that takes a fixed time

@@rogervanbommel1086 it's hashed and added a random salt, making the stored password have the same length. Time attack won't work that way.

@@ko-Daegu yea, there are many ways to prevent this. But then again that's the fun isn't it?

I really like this idea! I'll use an md5 hash for passwords 😀

@@mCoding Perfect! I would also recommend you add some new/recommended functions like PBKDF2 or even Argon2 at the end, to show how far we've come.

Hash collisions is highly unlikely ... and practically not feasible

@@adekeyetemitope2301 Older hash algorithms like MD5 and SHA1 have been susceptible to practical collision attacks for years now. It's even been used in a successful real-world malware campaign (read up on Flame).

@@mCoding with bcrypt an attack like that wiuldnt be possible as easily if at all

Amazing! I'll do my best to stay interesting! Drop by the discord and suggest topics you'd like to see, I may just cover one!

This is just the tip of the iceberg!

@@mCoding would love to see more of this iceberg!

Yep! Super useful for debugging!

@@mCoding Wow, such a cool thing and I never knew about this😂.. Your videos contains more information other than the video topic.

Only from python 3.9+ I believe.

i think its new feature

it was added in python3.8 so don't use it in production code just yet. but yeah it's great for debugging

Yes, check_password(user, x): return True

@@mCoding I mean, MOV (x86 assembly for moving data from one ram location to another) is branchless but Turing complete*. So a branchless password server would be possible. *kzbin.info/www/bejne/iGiodqKNnJt4oc0

I wouldn't count on that protecting you from timing attacks. I don't know much about the Python compiler but from my experience with C++ compilers, there is a huge disconnect between the code you write and what is actually executed on the CPU. CPUs are extremely good at branch prediction and speculative execution and compilers know this and take advantage of it. So it might actually be faster to introduce a branch into the code instead of evauating a complicated expression: Here is an example: You have a (useless) piece of code that either halves or doubles an input depending on whether it is even or not. The expression I wrote is branchless, yet the compiler (Clang 12) decided to introduce a branch. godbolt dot org/z/YjrcG44a5 (KZbin doesn't let me post links so replace the "dot" in the URL.) But even if there is no compiler magic and the CPU actually executes branchless code. With all the caching going on in a CPU I wouldn't be at all surprised if there are functions that take longer to execute for certain inputs than for others.

Implying you don't store the passwords encrypted

@@compuholic82 Wouldn't count on this either, but the compiler has probably vectorised as well. I don't think an attacker will be guessing an entire 16 or 32 bytes correctly.

Thanks for the support! Keep at it and I'm sure soon you will be able to understand every line!

Just curious, with a normal server given the uncontrolled factor (user -> server, server -> user response time) which can vary, is a random response time even required? I know nothing about timing attacks but how would they account for just the general delays across the internet?

To counteract internet variations, hackers can use a dedicated machine like a vps, and use thousands of iterations. They can also use multiple machines. What matters with this attack is that it will always slowly get closer to the answer and with enough time it is highly likely to succeed. Instead of random response times as a countermeasure however, the hashes of strings are usually compared instead and they are always the same length.

@@XerosOfficial Its a pretty far fetched scenario, The idea that in order to bypass 5+ incorrect attempt client timeouts, they will use different machines, VPNs, or simply reset cookies. If you think about the complexity of it. Each machine that makes 5 attempts will need to pass the information of the failed 5 passwords to the next one, so that it doesn't guess the same 5. Then you think about the sheer number of machines/tabs/VPS needed to crack even a 10 digit string, is over 3,628,800. Divide that by 5 attempts per tab/machine/VPS and you will need 725760 different environments all passing their previous attempts to each other just to crack a 10 digit string. Unless its nuclear launch codes during war time, im guessing your flower pot shop customer details are safe with just a client timeout at 5 tries.

@@ashy7198 Client timeouts have many purposes, including acting as a countermeasure to timing attacks. No wonder it doesn't work when they're involved. That's literally one of the reasons they exist. If a company doesn't want to deal with a bunch of old people calling customer service to get their account unlocked, then they will often simply implement password hashing, which is *already highly recommended* for security.

I appreciate it! The more viewers check out my sponsors the more they will want to sponsor me again!

Weak passwords can still be reversed

You have my approval! Can't wait for your next video too!

Very welcome!

80 hours to crack a password is still too low.

If you have the hard-coded API key clientside then provided you have root access there are easier ways to do it

@@douwehuysmans5959 if you have root access it's over regardless, c'mon. The application itself has to function, therefore making it moot. If you're root, you already have the keys or can carry out any task the API could as the application instance.

either bcrypt or argon2, depending on whether you're starting from scratch or not

Passwords aren't the only times timing-attacks are relevant. Many cryptographic algorithms can be difficult to implement such that they run in constant-time at the same time as being able to encrypt large quantities of data quickly. This can arise either though certain operations being quicker for certain pairs of bits (like XOR, which is frequently used in block ciphers), or through careless use of caching to boost performance, which could be exploited to reveal previously encrypted data/encryption keys. Timing is only one form of side-channel attack though, there are many others, including power analysis, accoustic analysis, cache attacks, etc.

You're thinking about whether people use bcrypt when there are plenty of developers out there writing systems that house sensitive information without a clue about security. These are people who store passwords in the clear. I've seen this personally, and the worst part is they know it's frowned upon but they think they're not important enough for anyone to target their companies. Most developers are bad.

Check "constant-time comparison". Many languages provide it as a library function .

@ Why not just hash?

@@tomtravis858 it's better then nothing for sure. The reason why not JUST hash is the same why salt and stretch passwords: too many people choose too weak passwords and so the hashes can be easily broken. Calling a library function is easy anyway, so no good reason to not do it.

Thanks!

Thanks for the kind words!

Indeed, this is a what-not-to-do video, not a best-practices video :). I believe I even mention that the server should not even be storing your password in the first place, as you mention hashes should be used. Unfortunately, one might be temped to "do it oneself" and write one's own authentication system, which is usually how these things end up being a problem in the real world. There are, however, some more practical timing attacks (or at least attacks that partially use timing info) that even got fancy names and logos in recent years. Think of it as the tip of the iceberg for some people who may not have ever been exposed to the idea that timing info can be used against them in this way.

These days, it's assumed that your password database already got stolen somehow; plaintext means all the user data is out there, accessible. Just hash means rainbow tables are viable. Hash+salt means targeted attacks against specific users with rainbow tables work, but it's infeasible to do so for the entire database. Rainbow tables also fall short for complex passwords, even though creating a collision is enough.

You missed the whole point of this video

Hmm... could I still pass arguments to the function this way?

Thanks, glad you like it and them!

Thanks so much!

You got it! Salt + hash is a best practice to prevent this kind of attack, but it is far too subtle to cover in this intro video :)

@@mCoding salt + hash + constant time string comparison. Actually bcrypt does all of those things in one library.

How curious, perhaps you should indulge in these subscribal urges just this once? Yes you could add a random waiting time to thwart this particular attack, but the industry best practice is to use secure hashes instead, which are generally not susceptible to timing attacks. Timing attacks have in recent years been used to do all kinds of things, including leaking server secret keys bit by bit and tricking cpu branch predictors into reading and divulging memory that the user does not have access to. Those were more sophisticated attacks do I wouldn't necessarily call them just timing attacks, but they included a timing component. More generally there is a whole branch of statistics that deals with getting information based off of noisy time series data.

@@mCoding already did some time ago!

@@mCoding do you have good resources for reading about the cpu tricking shenanigans? I'm really interested!

@@mCoding what branch of statistics is that? I’m reminded of information theory a bit but I only know about it in the context of entropy and machine learning. Words like Hamming codes come to mind but I can’t remember what those are really.

@@davidbellamy1388 it goes by the boring name time series analysis.

Thanks!

It depends on how well the video does I suppose! Security is a very complex topic, so don't think that this answer fixes the entire problem, but the way to twart this attack is by using a check password function that uses the same amount of time regardless of how close to correct the guess is. Ideally, the password should be hashed using a cryptographically secure, slow hash function and the password itself shouldn't even be stored on the server, combined with standard server hardening practices like banning after too many wrong attempts.

time.sleep(random.random())

Thanks both of you :D

or purposefully add a random time delay to your password checker

@@XZYSquare A random delay could be averaged out, though. It might be better to choose a response time and then pad all responses to match it. Or create very clever delays to mess up attacks, but you'd have to have a very thorough knowledge of such things to do it. Still, unless you're an expert, Julian is right. Just use things made by experts (and check to be sure your built-in libraries are such)

​@@admthrawnuru calculate how long it takes to get the wrong and right answer wrong = 10; right = 100; async Task doCalculation(string input) { bool answer = input == secretinput; await Task.Delay(random.Next(wrong-wrong*.5, right*1.5)); return answer; } force the calculation to return after the same amount of time is another way as well async Task doCalculation(string input) { Stopwatch sw = new Stopwatch(); sw.Start(); bool answer = SecretTestingMethod(input); sw.Stop(); await Task.Delay(right -sw.ElapsedMiliseconds); return answer; } always return after the same amount of time reguardless of if it tested positive or false

@@XZYSquare The first one is a bad idea. When you use your calculated right and wrong times as bounds, you're leaking information -by returning the random value to the user-

@@olbluelips it returns true or false, not random value

CPython's str compare is implemented in C using a memcmp, which is extremely fast compared even to python's perf_counter. Memcmp compares byte by byte in most implementations (str is unicode so a single character can be multiple bytes). Your system needs to be very fast and well-tuned to accurately time something as short as a single byte comparison, especially since the cpu could theoretically be doing multiple comparisons simultaneously/reordering instructions. If you even have a desktop environment installed on your system, that may significantly affect the timing attack. If you know some more advanced statistics you can deal with higher variance using fancy math. Other than that you can try tweaking the number of iterations and running it many times, sometimes it does better than others.

​@@mCoding Thanks for the elaborate answer! I have researched a bit more now and found this test: x41-dsec.de/lab/blog/memcmpbench/ Even with the high res timer ASM instruction it cannot be exploited under all circumstances. Though there were real attacks with memcmp() and patches to make it constant time, especially in crypto applications. It is also interesting how highly optimized this is in glibc. They are checking at runtime if the CPU supports SIMD vector instructions sets like SSE and AVX and then choose the fastest implementation. For example on every fairly modern desktop CPU this should be AVX2: elixir.bootlin.com/glibc/latest/source/sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S So it can compare up to 256 bit (32 byte) with a single instruction.

Thanks for watching, glad you liked it!

Thank you thank you as always!

Awesome! Welcome!

Well, no, but I provided a reason why I didn't point this out in the description. The solution to the problem is much more subtle than the problem itself, so I didn't want to make it seem too simple like slow_equals or just using hashes in general is the solution. These subtleties are likely topics for future videos though!

This assumes the db store plain text pass. With hashes yes you can't check length but you can try pre-hashed password and check if it is correct

Yeah. There are timing attacks designed for hashed passwords too, though they are much more complicated.

Thank you kindly!

By the way, i loved the video and the chanel is amazing!

Thanks for the support! Glad you enjoyed!

Great observations! Indeed, the more noise there is, the harder it is to use a timing attack. However, noise does not prevent timing attacks, it just means more data or a more sophisticated statistical analysis may be required. Additionally, in the situation presented here there is an obvious attack surface, but in real code beyond password checking it is not necessarily apparent that you could be leaking secret information via timing, which can make it hard to tell where you might want to add noise into in the first place. And finally, there is of course a tradeoff with purposefully adding noise because adding 3% to your runtime might be very costly if you have millions or billions of users. Often there are options to prevent a timing attack without introducing variance, although extra runtime is often the cost you just have to pay.

This will loop over 0 ... length-1 over and over. The first pass may not get all characters correct, so we just keep looping over the whole string until we get it right.

@@mCoding Running the code made it much easier to understand. Thanks for the response!

I tried changing the if min(alt_time) > min(guess_time): conditional take the mean or percentiles, but no luck. The last 5 chars always elude me. I imagine similiar behavior would be seen on a server with lots of processes running

Yes, timing attacks can be very finicky even if you do everything perfectly. Play around and maybe you can get something more consistent. The best thing you can do is to turn off any unnecessary processes that might interrupt and mess with the timing.

Or hash

In general, using more than just letters and numbers is a good idea. But that's probably not going to stop it from working altogether, as you could first try to do it with just lowercase letters, then alphanumeric, then full ascii, for example.

You are gonna have a bad time when you realize how many ways there are :*)

One [somewhat similar] example of an attack was comparing power consumption of a CPU affirming valid passwords vs checking wrong guesses. Storing though, it changes sometimes but has been hash+salt for quite a few years. In cryptography, devil's in the details - even using something tried like bcrypt for password storage, it's very easy to write an insecure application because you didn't enforce rules about transport layer security (by misconfiguring http/https), by accidentally exposing too much client-side, allowing an attacker to steal cookies or hijack the client for CSRF. Huge companies/projects, KZbin included, have fallen victims to this at various points in time.

Actual servers shouldn't store the passwords at all. Typically they just store a salted hash of the password instead.

Glad you enjoyed it!

Technically yes, but a way better solution is just hashing the passwords. Then the time between request and response will be entirely meaningless to the attacker.

Thanks! Glad to have you watching!

You're welcome!

Thank you very much! Glad you liked it!

He mentioned it earlier in the video - server latency / lag can lead to false positives.

Lol, protecting against it is definitely not trivial.

I've done enough coding to know what PyCharm likes and doesn't like, type hinting things helps a lot. So it's pretty second nature to me now.

This can also be solved by rate-limiting clients. And the best way is to just not store passwords as strings, use a decent hashing algorithm, like argon2.

Random length delay (delay for random time in addition to checking) doesn't work. That still leaks some information. If you can do a sufficient number of attempts you still learn something. On the other hand if you can find the longest anything COULD take, you can pick a random *total* time that's always larger than that. Then the only info you leak is information about the min/max that you allowed on the random timer.

@@Fizzfaldt Just choose an execution time let's say 4 seconds. Then look how much time passed during the check and sleep (4-passed_time) seconds and boom you always give 4 seconds to the attacker.

@@brawldude2656 yup! That's exactly what I meant:)

For CPython, you can find the definition of string compare here: github.com/python/cpython/blob/main/Objects/unicodeobject.c, see the function unicode_compare_eq. You can see it does a length check and then does a memcmp, which is usually implemented as a for/while loop comparing byte by byte (so technically not character by character because unicode may use more than 1 byte per character).

@@mCoding Yep guessing that it is c it is much more harder to notice the time difference

Any Update on that?

@@SkielCast Certainly. the genetic algorithm was utterly useless. The reason is that the "vanilla" evolution strategies approach essentially mutates any part (character) of a solution (candidate password) with the same probability. But the string comparison function stops when it detects the first character mismatch. And the execution time of the string comparison is the fitness/objective function. So the first characters are more significant and so, by randomly changing any part of the string (that the GA does) makes the search very unstable.

@@stkyriakoulisdr But maybe that can be solved using an alternative encoding like Gray code to reduce the impact of significant bits or maybe implementing mutation as a random shuffle

Thank you!

Nope, the attacker can still retrieve the hash and reverse it if the password is weak.

This can only work if there is a known plaintext password being compared to, that's not the case for a PDF or you could just extract it directly (unless this is on a server)

Had to look this up to fact-check myself and I have problems when it comes to speech but... zip takes in iterables and returns an iterator with its own things that in turn get referenced. Range here generates a single list that can give you an index to every letter in the string variable "actual". My guess is that range is faster since there is less to do in order to produce a result. Then again it may just be easier to follow with using range. I'm curious to see a timed run comparing each still.

I wasn't even thinking about speed, but rather, what is "Pythonic". We generally want to avoid iterating using an index without an explicit reason for needing it.

@@ProbabilityOverdrive I see what you mean. From my experience, I'd say range is more Pythonic (I assume you're referring to readability and simplicity when saying that). It's more easily understood to use range(len... since it is a thing in about every computer language you'd use for calculations. From my experience if it works well, is easily understood, and is concise I wouldn't fret about using indices (especially when first writing a code and just trying to get it to work). I prefer speed and being clear rather than focusing on convention. Then again I started with Python, worked with C++, C#, and Java, then came back to Python/Cython so that's just my preference.