On Mon, Jun 12, 2017 at 12:30 AM, Emil Lenngren <[email protected]> wrote: > 2017-06-11 22:48 GMT+02:00 Emmanuel Grumbach <[email protected]>: >> On Sun, Jun 11, 2017 at 4:36 PM, Kees Cook <[email protected]> wrote: >>> >>> On Sun, Jun 11, 2017 at 1:13 AM, Kalle Valo <[email protected]> wrote: >>> > "Jason A. Donenfeld" <[email protected]> writes: >>> > >>> >> Whenever you're comparing two MACs, it's important to do this using >>> >> crypto_memneq instead of memcmp. With memcmp, you leak timing >>> >> information, >>> >> which could then be used to iteratively forge a MAC. >>> > >>> > Do you have any pointers where I could learn more about this? >>> >>> While not using C specifically, this talks about the problem generally: >>> https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html >>> >> >> Sorry for the stupid question, but the MAC address is in plaintext in >> the air anyway or easily accessible via user space tools. I fail to >> see what it is so secret about a MAC address in that code where that >> same MAC address is accessible via myriads of ways. > > I think you're mixing up Media Access Control (MAC) addresses with > Message Authentication Code (MAC). The second one is a cryptographic > signature of a message.
Obviously... Sorry for the noise.
