From 101bd0de0d218f12d09732e8355c094e39a4e41d Mon Sep 17 00:00:00 2001 From: Michael Savage Date: Tue, 28 Nov 2017 21:02:03 +0200 Subject: [PATCH] crypto_verify manual tweaks --- doc/man/man3/crypto_verify16.3monocypher | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/man/man3/crypto_verify16.3monocypher b/doc/man/man3/crypto_verify16.3monocypher index 2ccdc64..4362643 100644 --- a/doc/man/man3/crypto_verify16.3monocypher +++ b/doc/man/man3/crypto_verify16.3monocypher @@ -17,16 +17,15 @@ .Sh DESCRIPTION Cryptographic operations often require comparison of secrets or values derived from secrets. -Standard comparison functions tend to exit as soo as they find a -difference, and doing so leaks information through variable timings. +Standard comparison functions (like memcmp) tend to exit when they find +the first difference, leaking information through timing differences. .Pp -A cannonical example is the message authentication code (MAC). -A MAC may be sent over the network along with a message. -However, the correct MAC is secret. +As an example, say a message authentication code (MAC) is sent over the +network along with a message, but the correct MAC is secret. If the attacker attempts a forgery, one does not want to reveal .Dq your MAC is wrong, Em and it took 384 microseconds to tell . -If the next attempt takes 462 microseconds instead, it gives away the -fact that the attacker just guessed a few bytes correctly. +If the next attempt takes 462 microseconds instead, it tells the +attacker they just guessed a few bytes correctly. That way, an attacker can derive the correct MAC, and sucessfully forge a message. This has lead to practical attacks in the past. -- 2.47.3