From 0dae345ce579f3aa8b583d0600b2b2cf50bcae96 Mon Sep 17 00:00:00 2001 From: Peter Surda Date: Thu, 18 Feb 2016 16:01:06 +0100 Subject: [PATCH] Constant time decryption Always try to decrypt with all keys. --- src/class_objectProcessor.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/class_objectProcessor.py b/src/class_objectProcessor.py index 52badd56..db9cc27c 100644 --- a/src/class_objectProcessor.py +++ b/src/class_objectProcessor.py @@ -335,11 +335,13 @@ class objectProcessor(threading.Thread): for key, cryptorObject in shared.myECCryptorObjects.items(): try: - decryptedData = cryptorObject.decrypt(data[readPosition:]) - toRipe = key # This is the RIPE hash of my pubkeys. We need this below to compare to the destination_ripe included in the encrypted data. - initialDecryptionSuccessful = True - logger.info('EC decryption successful using key associated with ripe hash: %s.' % key.encode('hex')) - break + if initialDecryptionSuccessful: # continue decryption attempts to avoid timing attacks + cryptorObject.decrypt(data[readPosition:]) + else: + decryptedData = cryptorObject.decrypt(data[readPosition:]) + toRipe = key # This is the RIPE hash of my pubkeys. We need this below to compare to the destination_ripe included in the encrypted data. + initialDecryptionSuccessful = True + logger.info('EC decryption successful using key associated with ripe hash: %s.' % key.encode('hex')) except Exception as err: pass if not initialDecryptionSuccessful: @@ -615,11 +617,13 @@ class objectProcessor(threading.Thread): initialDecryptionSuccessful = False for key, cryptorObject in shared.MyECSubscriptionCryptorObjects.items(): try: - decryptedData = cryptorObject.decrypt(data[readPosition:]) - toRipe = key # This is the RIPE hash of the sender's pubkey. We need this below to compare to the RIPE hash of the sender's address to verify that it was encrypted by with their key rather than some other key. - initialDecryptionSuccessful = True - logger.info('EC decryption successful using key associated with ripe hash: %s' % key.encode('hex')) - break + if initialDecryptionSuccessful: # continue decryption attempts to avoid timing attacks + cryptorObject.decrypt(data[readPosition:]) + else: + decryptedData = cryptorObject.decrypt(data[readPosition:]) + toRipe = key # This is the RIPE hash of the sender's pubkey. We need this below to compare to the RIPE hash of the sender's address to verify that it was encrypted by with their key rather than some other key. + initialDecryptionSuccessful = True + logger.info('EC decryption successful using key associated with ripe hash: %s' % key.encode('hex')) except Exception as err: pass # print 'cryptorObject.decrypt Exception:', err