Path: csiph.com!usenet.pasdenom.info!nntpfeed.proxad.net!proxad.net!feeder1-2.proxad.net!news.tele.dk!news.tele.dk!small.news.tele.dk!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.076 X-Spam-Evidence: '*H*': 0.85; '*S*': 0.00; 'subject:Python': 0.05; 'key.': 0.07; '101': 0.09; 'cipher': 0.09; 'substitution': 0.09; 'after,': 0.16; 'wrote:': 0.16; "wouldn't": 0.16; 'byte': 0.18; 'proposed': 0.20; '(or': 0.21; 'am,': 0.23; 'code.': 0.23; '2015': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'message- id:@mail.gmail.com': 0.28; 'function': 0.30; 'system,': 0.32; "d'aprano": 0.33; 'steven': 0.33; 'server': 0.34; 'received:google.com': 0.34; 'to:addr:python-list': 0.35; 'fail': 0.35; 'remote': 0.35; 'step': 0.36; 'but': 0.36; 'there': 0.36; 'data.': 0.36; 'should': 0.37; 'client': 0.37; 'subject:: ': 0.37; 'say': 0.38; 'does': 0.39; 'to:addr:python.org': 0.39; 'called': 0.40; 'why': 0.40; 'your': 0.60; 'expert': 0.63; 'total': 0.64; 'differences': 0.66; 'subject:Data': 0.66; 'course.': 0.67; 'believe': 0.67; 'measurable': 0.84; 'payload': 0.84; 'step,': 0.84; 'to:name:python': 0.84; 'outcome': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=U5BcKvJjfldGT0u0bD7uOHwLNCFr6Z6j7Du+ti6F9tw=; b=Ypzn152P1HwFA7GIV1OxrXsMTyo1/zc7IeHorb/2z7V41po+jc+nRu8ln7XtKKB9dy rEyAf+Go3EJpfOVuUJPCqOYUPcgmzzB9cgjERCnKsCRTWvsU/YiUHYIKXlFPdsG39gsP x7lPEzhro5NYtekZjueaPOsYoVOVHa0EK7n63XVnC2Digxh5nUkaeXi9WxEo1hfwFGTD 9lMc6H6TUKz7GNbBghChiVQpF+rYACDTwZ0wNFnMb24rrXU6Ra9i0Wq157hS1e22FEN9 FPjOYda5T3h+eEZ5DstRIHS24e/kSb0WG0vcHPWaIsFSeKqiGhmaCJHOSF4AfSODt19N Xx1w== X-Received: by 10.129.56.70 with SMTP id f67mr8616482ywa.85.1435417808414; Sat, 27 Jun 2015 08:10:08 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <558e610f$0$1648$c3e8da3$5496439d@news.astraweb.com> References: <558b7e85$0$1648$c3e8da3$5496439d@news.astraweb.com> <558bc912$0$2899$c3e8da3$76491128@news.astraweb.com> <558c1a7e$0$1668$c3e8da3$5496439d@news.astraweb.com> <558d86b0$0$1659$c3e8da3$5496439d@news.astraweb.com> <558e1ac6$0$1675$c3e8da3$5496439d@news.astraweb.com> <558e610f$0$1648$c3e8da3$5496439d@news.astraweb.com> From: Ian Kelly Date: Sat, 27 Jun 2015 09:09:28 -0600 Subject: Re: Pure Python Data Mangling or Encrypting To: Python Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 20 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1435417817 news.xs4all.nl 2908 [2001:888:2000:d::a6]:55049 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:93250 On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano wrot= e: > Can you [generic you] believe that attackers can *reliably* attack remote > systems based on a 20=C2=B5s timing differences? If you say "No", then yo= u fail > Security 101 and should step away from the computer until a security expe= rt > can be called in to review your code. Of course. I wouldn't bet the house on it, but with the proposed substitution cipher system, I don't see why there would be any measurable timing differences at all based on the choice of key. The time to obfuscate a single byte is constant, so the total time to obfuscate the payload should just be a function of the length of the data. Secondly, the 200 (or whatever) response to the client does not depend on the outcome of the obfuscation step, so there is no reason that the server cannot simply respond first and obfuscate after, giving the client nothing to time.