Skip to content
This repository was archived by the owner on Sep 17, 2024. It is now read-only.

fix(tokens): Hash tokens in tokens module to resist ND2DB-style timing attack#83

Open
Blckbrry-Pi wants to merge 1 commit into06-07-chore_migrate_from_yaml_to_jsonfrom
05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack
Open

fix(tokens): Hash tokens in tokens module to resist ND2DB-style timing attack#83
Blckbrry-Pi wants to merge 1 commit into06-07-chore_migrate_from_yaml_to_jsonfrom
05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack

Conversation

@Blckbrry-Pi
Copy link
Copy Markdown
Contributor

@Blckbrry-Pi Blckbrry-Pi commented May 1, 2024
edited
Loading

Resolves OGB-53

@Blckbrry-Pi Graphite App
Copy link
Copy Markdown
Contributor Author

Blckbrry-Pi commented May 1, 2024
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @Blckbrry-Pi and the rest of your teammates on Graphite Graphite

@Blckbrry-Pi Blckbrry-Pi marked this pull request as ready for review May 1, 2024 20:33
@linear
Copy link
Copy Markdown

linear bot commented May 1, 2024

OGB-53 Combination of B-Tree index + unhashed tokens may leave `tokens` vulnerable to a ND2DB-adjacent timing attack.

MasterPtato
MasterPtato approved these changes May 2, 2024
View reviewed changes
Copy link
Copy Markdown

@MasterPtato MasterPtato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too familiar with this kind if attack, is it possible to write a unit test that confirms this attack is no longer valid after this patch?

@Blckbrry-Pi Graphite App
Copy link
Copy Markdown
Contributor Author

Blckbrry-Pi commented May 3, 2024

I'm not too familiar with this kind if attack, is it possible to write a unit test that confirms this attack is no longer valid after this patch?

Almost definitely not.
The theoretical timing attack I proposed would probably take about 3 days minimum to attempt, and that would be if the attacker was on the lucky side.

I can almost guarantee that this style of timing attack will be impossible until a method is released to manipulate SHA256 hashes bit by bit.

NathanFlurry
NathanFlurry suggested changes May 15, 2024
View reviewed changes
Comment thread modules/tokens/utils/types.ts Outdated
@Blckbrry-Pi Blckbrry-Pi force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from b2cefc7 to 3d5d946 Compare May 16, 2024 12:15
@Blckbrry-Pi Blckbrry-Pi requested a review from NathanFlurry May 16, 2024 12:17
@Blckbrry-Pi Blckbrry-Pi force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from 3d5d946 to 29dbcf2 Compare May 22, 2024 00:58
NathanFlurry
NathanFlurry suggested changes Jun 4, 2024
View reviewed changes
Comment thread modules/tokens/scripts/get_by_token.ts
req: Request,
): Promise<Response> {
const hashed = await Promise.all(req.tokens.map(hash));
console.log(hashed);
Copy link
Copy Markdown
Member

@NathanFlurry NathanFlurry Jun 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

Comment thread modules/tokens/utils/types.ts
row: prisma.Prisma.TokenGetPayload<any>,
): Token {
return {
...withoutKeys(row, ["tokenHash"]),
Copy link
Copy Markdown
Member

@NathanFlurry NathanFlurry Jun 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is more lines of code and harder to understand than just manually passing in each parameter from the row in to the response.

Comment thread modules/tokens/utils/types.ts
@NathanFlurry NathanFlurry force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from 29dbcf2 to 32c725a Compare June 7, 2024 23:21
@NathanFlurry NathanFlurry changed the base branch from main to 06-07-chore_migrate_from_yaml_to_json June 7, 2024 23:21
This was referenced Jun 7, 2024
Merged
Closed
This was referenced Jun 7, 2024
Merged
Open
Open
@NathanFlurry NathanFlurry mentioned this pull request Jun 8, 2024
Merged
This was referenced Jun 27, 2024
Merged
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@NathanFlurry NathanFlurry NathanFlurry requested changes

@MasterPtato MasterPtato MasterPtato approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Blckbrry-Pi @NathanFlurry @MasterPtato