93 lines
4.2 KiB
HTML
93 lines
4.2 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<style>
|
|
table.head, table.foot { width: 100%; }
|
|
td.head-rtitle, td.foot-os { text-align: right; }
|
|
td.head-vol { text-align: center; }
|
|
div.Pp { margin: 1ex 0ex; }
|
|
</style>
|
|
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
|
|
<title>CRYPTO_VERIFY16(3MONOCYPHER)</title>
|
|
</head>
|
|
<body>
|
|
<table class="head">
|
|
<tr>
|
|
<td class="head-ltitle">CRYPTO_VERIFY16(3MONOCYPHER)</td>
|
|
<td class="head-vol">3MONOCYPHER</td>
|
|
<td class="head-rtitle">CRYPTO_VERIFY16(3MONOCYPHER)</td>
|
|
</tr>
|
|
</table>
|
|
<div class="manual-text">
|
|
<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
|
|
<b class="Nm" title="Nm">crypto_verify16</b>,
|
|
<b class="Nm" title="Nm">crypto_verify32</b>,
|
|
<b class="Nm" title="Nm">crypto_verify64</b> —
|
|
<span class="Nd" title="Nd">timing-safe data comparison</span>
|
|
<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
|
|
<b class="In" title="In">#include
|
|
<<a class="In" title="In">monocypher.h</a>></b>
|
|
<div class="Pp"></div>
|
|
<var class="Ft" title="Ft">int</var>
|
|
<br/>
|
|
<b class="Fn" title="Fn">crypto_verify16</b>(<var class="Fa" title="Fa">const
|
|
uint8_t a[16]</var>, <var class="Fa" title="Fa">const uint8_t b[16]</var>);
|
|
<div class="Pp"></div>
|
|
<var class="Ft" title="Ft">int</var>
|
|
<br/>
|
|
<b class="Fn" title="Fn">crypto_verify32</b>(<var class="Fa" title="Fa">const
|
|
uint8_t a[32]</var>, <var class="Fa" title="Fa">const uint8_t b[32]</var>);
|
|
<div class="Pp"></div>
|
|
<var class="Ft" title="Ft">int</var>
|
|
<br/>
|
|
<b class="Fn" title="Fn">crypto_verify64</b>(<var class="Fa" title="Fa">const
|
|
uint8_t a[64]</var>, <var class="Fa" title="Fa">const uint8_t b[64]</var>);
|
|
<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
|
|
Cryptographic operations often require comparison of secrets or values derived
|
|
from secrets. Standard comparison functions like
|
|
<b class="Fn" title="Fn">memcmp</b>() tend to exit when they find the first
|
|
difference, leaking information through timing differences.
|
|
<div class="Pp"></div>
|
|
As an example, say a message authentication code (MAC) is sent over the network
|
|
along with a message, but the correct MAC is secret. If the attacker attempts
|
|
a forgery, one does not want to reveal “your MAC is wrong,
|
|
<i class="Em" title="Em">and it took 384 microseconds to tell</i>”. If
|
|
the next attempt takes 462 microseconds instead, it tells the attacker they
|
|
just guessed a byte correctly. That way, an attacker can derive the correct
|
|
MAC byte by byte, and successfully forge a message. This has lead to practical
|
|
attacks in the past.
|
|
<div class="Pp"></div>
|
|
To avoid such catastrophic failure,
|
|
<b class="Fn" title="Fn">crypto_verify16</b>(),
|
|
<b class="Fn" title="Fn">crypto_verify32</b>() and
|
|
<b class="Fn" title="Fn">crypto_verify64</b>() provide comparison functions
|
|
whose timing is independent from the content of their input. They compare the
|
|
first 16, 32, or 64 bytes of the two byte arrays
|
|
<var class="Fa" title="Fa">a</var> and <var class="Fa" title="Fa">b</var>.
|
|
<div class="Pp"></div>
|
|
When in doubt, prefer these functions over
|
|
<b class="Fn" title="Fn">memcmp</b>().
|
|
<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
|
|
VALUES</a></h1>
|
|
These functions return 0 if the two memory chunks are the same, -1 otherwise.
|
|
<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
|
|
ALSO</a></h1>
|
|
<a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
|
|
<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
|
|
The <b class="Fn" title="Fn">crypto_verify16</b>(),
|
|
<b class="Fn" title="Fn">crypto_verify32</b>(),
|
|
<b class="Fn" title="Fn">crypto_verify64</b>() functions first appeared in
|
|
Monocypher 1.1.0. They replaced the
|
|
<b class="Fn" title="Fn">crypto_memcmp</b>() and
|
|
<b class="Fn" title="Fn">crypto_zerocmp</b>() functions that were present
|
|
until Monocypher 1.0.1.</div>
|
|
<table class="foot">
|
|
<tr>
|
|
<td class="foot-date">March 31, 2020</td>
|
|
<td class="foot-os">Linux 4.15.0-106-generic</td>
|
|
</tr>
|
|
</table>
|
|
</body>
|
|
</html>
|