Login Timing Attacks for Mischief and Mayhem

Presented at Kiwicon 6: The Con of the Beast (2012), Nov. 17, 2012, 11 a.m. (30 minutes)

Timing attacks are relatively well known in the shady recesses of the caves I assume cryptographers hide in. However less is known by us security and hacker folk. I intend to rectify this injustice by answering a simple question - Can a timing attack be used on a remote web app to guess a hashed password faster than a simple brute force attack? To this end I have pondered, coded, tested, sweated, cried, pondered some more, tested, cried again and coded until I have the tool to answer the question! Ha! This talk will outline the tool, the technique, and its limitations. They said it couldn't be done, I say watch my talk and find out.

Presenters:

• Adrian Hayes
  Adrian does security things on behalf of his corporate overlords, Security-Assessment.com. His focus is on web things and crypto things, but dabbles in all the things. Adrian enjoys OWASP chapter meetings (he is the Wellington leader after all), and long walks on the beach.

Links:

• https://2012.kiwicon.org/the-con/talks/#e58

Similar Presentations:

• DEF CON 15 (2007) / It's All About the Timing
• Black Hat USA 2015 / Web Timing Attacks Made Practical
• AppSec USA 2015 / Practical Timing Attacks using Mathematical Amplification of Time Difference in == Operator