Observable Timing Discrepancy

csharp.observable_timing_discrepancy

Severity

high

Resource

Information Leak

Language

CSharp

Description

Observable Timing Discrepancy occurs when the time it takes for certain operations to complete can be measured and observed by attackers.

Rationale

When conducting plaintext password comparisons, there’s a risk that an attacker could discern the password’s value by observing the timing of comparisons. This is because the comparison takes less time as fewer bytes match.

Consider the following C# code:

using System;

class Program
{
    static void Main(string[] args)
    {
        Console.WriteLine("Password:");
        var pwd = Console.ReadLine();

        if (CheckPassword(pwd))
        {
            Console.WriteLine("Login done");
        }
    }

    private static bool CheckPassword(string pwd)
    {
        return (pwd == "super.secret"); // FLAW
    }
}

Remediation

To remediate issues related to plaintext storage of passwords, implement the following practices:

Use Secure Hashing Algorithms: Store passwords using a strong, one-way hashing algorithm combined with a salt to protect against dictionary and rainbow table attacks.
Leverage Strong Cryptography: When passwords must be stored for validation, use a combination of hashing and salting. Ensure the algorithms used are well-regarded and up-to-date with industry standards (e.g., PBKDF2, bcrypt, scrypt).
Protect Access to Passwords: Ensure access to stored hashed passwords and salts is tightly controlled using access controls and encryption.

Following these practices will significantly enhance the security of password storage in your applications, reducing the risk of unauthorized access.

References

CWE-208 : Observable Timing Discrepancy
ConstantTimeCompare