Skip to content
This repository has been archived by the owner on Jan 31, 2025. It is now read-only.

Security Fix
Compare
Choose a tag to compare
@stef stef released this 31 Jul 14:39
· 4 commits to master since this release
v1.1.0
c469e1f

Attention! This release is backward incompatible with, it changes the function sphinx_finish() by adding one additional parameter.

This release contains one security fix for the following active attack where the attacker is able to inject answers between the sphinx client and server and is additionally able to sniff the password used for authentication:

client blinds password: H(p)^r - and sends it to the oracle
attacker races the answer from the oracle and simply reflects back alpha to the client
client unblinds and hashes the response: rwd = H(p,H(p)^(r*1/r))
attacker sniffs rwd
attacker can offline bruteforce the password

in this fix we enforce that the client checks in sphinx_finish() that the request send is not equal to the response. This way the attacker is forced to also include a scalar multiplication in their bruteforce attack, making it computationally more expensive.

However note that an attacker returning alpha*2 or some other small multiplier will still be able to mount a significantly cheaper bruteforce attack against the master password. This is unavoidable and well-known issue and outside of the scope of SPHINX.

Assets 2
Loading