Pure Python Data Mangling or Encrypting
Ian Kelly
ian.g.kelly at gmail.com
Sat Jun 27 11:09:28 EDT 2015
On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> Can you [generic you] believe that attackers can *reliably* attack remote
> systems based on a 20µs timing differences? If you say "No", then you fail
> Security 101 and should step away from the computer until a security expert
> can be called in to review your code.
Of course. I wouldn't bet the house on it, but with the proposed
substitution cipher system, I don't see why there would be any
measurable timing differences at all based on the choice of key. The
time to obfuscate a single byte is constant, so the total time to
obfuscate the payload should just be a function of the length of the
data.
Secondly, the 200 (or whatever) response to the client does not depend
on the outcome of the obfuscation step, so there is no reason that the
server cannot simply respond first and obfuscate after, giving the
client nothing to time.
More information about the Python-list
mailing list