Skip to content
This repository has been archived by the owner on Sep 17, 2024. It is now read-only.

fix(tokens): Hash tokens in tokens module to resist ND2DB-style timing attack #83

Open
wants to merge 1 commit into
base: 06-07-chore_migrate_from_yaml_to_json
Choose a base branch
from
Open

fix(tokens): Hash tokens in tokens module to resist ND2DB-style timing attack #83

wants to merge 1 commit into from

Conversation

Blckbrry-Pi
Copy link
Contributor

@Blckbrry-Pi Blckbrry-Pi commented May 1, 2024
edited
Loading

Resolves OGB-53

@Blckbrry-Pi Graphite App
Copy link
Contributor Author

Blckbrry-Pi commented May 1, 2024
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @Blckbrry-Pi and the rest of your teammates on Graphite Graphite

@Blckbrry-Pi Blckbrry-Pi marked this pull request as ready for review May 1, 2024 20:33
@linear Linear
Copy link

linear bot commented May 1, 2024

OGB-53 Combination of B-Tree index + unhashed tokens may leave `tokens` vulnerable to a ND2DB-adjacent timing attack.

MasterPtato
MasterPtato approved these changes May 2, 2024
View reviewed changes
Copy link

@MasterPtato MasterPtato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too familiar with this kind if attack, is it possible to write a unit test that confirms this attack is no longer valid after this patch?

@Blckbrry-Pi Graphite App
Copy link
Contributor Author

I'm not too familiar with this kind if attack, is it possible to write a unit test that confirms this attack is no longer valid after this patch?

Almost definitely not.
The theoretical timing attack I proposed would probably take about 3 days minimum to attempt, and that would be if the attacker was on the lucky side.

I can almost guarantee that this style of timing attack will be impossible until a method is released to manipulate SHA256 hashes bit by bit.

NathanFlurry
NathanFlurry suggested changes May 15, 2024
View reviewed changes
modules/tokens/utils/types.ts Outdated Show resolved Hide resolved
@Blckbrry-Pi Blckbrry-Pi force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from b2cefc7 to 3d5d946 Compare May 16, 2024 12:15
@Blckbrry-Pi Blckbrry-Pi requested a review from NathanFlurry May 16, 2024 12:17
@Blckbrry-Pi Blckbrry-Pi force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from 3d5d946 to 29dbcf2 Compare May 22, 2024 00:58
NathanFlurry
NathanFlurry suggested changes Jun 4, 2024
View reviewed changes
modules/tokens/scripts/get_by_token.ts
@@ -13,18 +13,22 @@ export async function run(
ctx: ScriptContext,
req: Request,
): Promise<Response> {
const hashed = await Promise.all(req.tokens.map(hash));
console.log(hashed);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

modules/tokens/utils/types.ts
row: prisma.Prisma.TokenGetPayload<any>,
): Token {
return {
...withoutKeys(row, ["tokenHash"]),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is more lines of code and harder to understand than just manually passing in each parameter from the row in to the response.

modules/tokens/utils/types.ts Show resolved Hide resolved
@NathanFlurry NathanFlurry force-pushed the 05-01-fix_tokens_hash_tokens_in_tokens_module_to_resist_nd2db-style_timing_attack branch from 29dbcf2 to 32c725a Compare June 7, 2024 23:21
@NathanFlurry NathanFlurry changed the base branch from main to 06-07-chore_migrate_from_yaml_to_json June 7, 2024 23:21
This was referenced Jun 7, 2024
Merged
Closed
This was referenced Jun 7, 2024
Merged
Open
Open
@NathanFlurry NathanFlurry mentioned this pull request Jun 8, 2024
Merged
This was referenced Jun 27, 2024
Merged
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@NathanFlurry NathanFlurry NathanFlurry requested changes

@MasterPtato MasterPtato MasterPtato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Blckbrry-Pi @NathanFlurry @MasterPtato