Something not mentioned here is that timing attacks have been proven effective even across the internet; you might think "Oh the jitter in TCP is going to overwhelm any leaked information," but you would be wrong.
I do have the sentence "This difference is enough to measure, even on web applications." in the fourth paragraph. Should I highlight that a bit, bold maybe?
I'd also like a good reference for that, and my Google skills were failing me. Do you happen to have a link to something show that off?
I missed that on the first read-through. Invariably when you introduce someone smart to timing attacks they will say "Oh, but that's not going to be practical over TCP/IP.
If you're comparing plain text passwords then you've already done something wrong. You'll find the hash construct mitigates against attacks like these due to its nature, especially with a per user salt.
Looking at the bigger picture of login/auth, timing might easily tell you the difference between valid and invalid usernames (information that you would not normally expect to leak from login)
A clumsy password implementation may give away information about valid password rules, imagine a system that validates passwords for length/complexity etc. (either before or after hashing) and rejects based on that, without comparing the hash values (or worst case, without even performing the hash) again more information has been leaked in the timing.
Hashing would make this technique less useful, but not necessarily useless. For instance, if there is no salt involved, and the hashing algorithm is known (or guessable), you can still make some use of the information leaked.
The difference is that you are not being leaked information about the password, but about the hash of the password. One problem with trying to brute force an authentication over the internet is that it is slow and potentially noticeable by the server admin (then you get cut off). If you exploited a timing attack from a comparison between raw md5's or sha1's of a password, then you can use the leaked information to focus your brute force. Basically, you could use a rainbow table to help you pick what passwords to try next, getting a lot more bang for your buck. In this way you can use the combination of offline brute forcing to generate possible hashes, and the timing attack to select which passwords to actually send.
Now an unknown salt would still ruin your day, just like it is designed to make life difficult for rainbow tables in the first place.
If your salt is 'short' you can still perform this attack.
Assume a timing oracle, which when queried with a plaintext password will return an integer which is the length in bytes of the matching hash prefix.
Choose a small prefix length (perhaps 3 or 4) and send distinct passwords to the oracle until you have more than one input password which produces the length you've chosen.
With this information you can perform an offline brute force of all possible salt values to reduce that set to only the salts which produce the correct matching prefixes when used with the passwords from the previous step.
Too many salts in this set? Test each one by generating a candidate password that has the same prefix as your test cases and then ask the oracle if it agrees that the prefixes match.
Once you know the salt, perform a dictionary attack against the partial hash you already know from guessing the salt to create a set of candidate passwords. If there are too many passwords to test them all, then generate a longer prefix. Either trying all the passwords or generating a prefix which is one byte longer than the last one is going to be a harder problem. Choose the easier of the two problems at each iteration.
It can work the same way. You just slowly figure out the hash: this pw for this user was a bit faster than all the other failures, so we know the first byte of the hash is ...
If you have a bunch of hashes precomputed, you can start to figure things out pretty quick.
The point is it's still leaking information about what's going on.
This makes sense, I hadn't thought of knowing the hashing method and it being unsalted. Knowing those it would be just as easy to whittle the list down exactly the same way.
Err, not exactly the same way. Sure if you have a rainbow table of all the possible values of the hash construct then it would take a negligible amount of time. Doing the math of all possible values in the Hash space you will quickly see that at this point in time and space it's not plausible to have that.
You may then argue that you can have the value space of all popular passwords, but that isn't going to be any more effective than just trying all of the possible passwords.
