Topic on Talk:Requests for comment/Login via e-mail address

Timing attacks on emails with multiple accounts

1
Dantman (talkcontribs)
  • We want to avoid timed attacks that can determine whether an e-mail address is in the database.
    • Perhaps only check one account total?
      • This approach avoids needing to insert an intermediate screen for disambiguation.
    • This would mean that for e-mail addresses that correspond to multiple user names, you would need to error and tell the user to maybe try an account name instead? (The error message presumably cannot give away that there were e-mail addresses that matched in the database, unless the password also matches.)

One other way to avoid a timing attack when an email may be associated with multiple accounts would be to pad the time with extra password checks:

  1. Pick a cryptographic random number between A and B (this is R).
    • Where A is slightly higher than an estimate of the average number of users associated with an email, B is high enough that there are few emails associated with that number of accounts, and there's a bit of space between these numbers.
    • We may want a (log or exp?) scale that makes this number more likely to be smaller.
  2. Subtract the number of users found matching the email address which you need to check the password for from R, but cap it at 0 (this is F).
  3. Run a fake password check – by running an actual password verification on some dummy data then discarding the result – repeated F times.
    • If a fake password verification requires the generation of a new disposable password hash, then always generate one, even if there are no fake password verifications to do.
  4. Check the password for all users even after we find one that matches.

This way an attacker:

  • Cannot guess if you verified passwords on 5 users or verified 5 fake passwords for users that do not exist.
  • Without prior knowledge of the value of B. Cannot immediately know that verifying N number of passwords when N > B means that an email has to exist (because normally N is not a constant value across attempts).
    • Note that B can probably be discovered by a determined attacker. By doing timing attacks a large number of times against a single known email and keeping track of the highest N value encountered. Using a random scale that prefers lower numbers will make this harder (because values close to B will be less common) but will only mean this attack on B needs to run longer to work.
    • Alternatively, running the timing attack on an email multiple times to see if N changes would be another method (N will be constant if it is larger than B)
Reply to "Timing attacks on emails with multiple accounts"