OMEMO - Timing Side-Channel in HMAC Comparison

[soatok]

Originally disclosed here.

qxmpp/src/omemo/QXmppOmemoManager_p.cpp

Line 1766 in 94232e7

if (messageAuthenticationCode != expectedMessageAuthenticationCode) {

Explainers:

1. https://soatok.blog/2020/08/27/soatoks-guide-to-side-channel-attacks/
2. https://security.stackexchange.com/a/74552

This defect is a problem with the OMEMO specification. It should have called out the specific steps that implementors follow to prevent this sort of side-channel attack.

[lnjX]

So the issue is that an attacker could gain information about the real hmac because of the non-constant time comparison, right? I'd guess that this isn't realistic when triggering this remotely via network, but still of course this could be improved.

I didn't find a commonly used constant-time string comparison function in the standard library or QCA. Do you have any recommendations?

And have you considered making a proposal to update the spec?

[soatok]

I didn't find a commonly used constant-time string comparison function in the standard library or QCA. Do you have any recommendations?

https://github.com/jedisct1/libsodium/blob/1012bbc380c81bf7782a85d43c2c9ed7caf8c8b9/src/libsodium/sodium/utils.c#L186-L208

And have you considered making a proposal to update the spec?

After the misconduct of one of the spec authors, I'm avoiding talking to them at all. Feel free to suggest it if you think it's a good use of your time.