diff options
| author | Julian Krause <julian.krause@gmail.com> | 2013-12-12 20:55:39 -0800 |
|---|---|---|
| committer | Julian Krause <julian.krause@gmail.com> | 2013-12-12 20:55:39 -0800 |
| commit | 848f770c4ab33e0d1cd98c78480ae32d5c5f134e (patch) | |
| tree | 447a0195b9a77b5a8c4098261718e0e67418f000 | |
| parent | d6f14daf49036a434bc0a6b190457694f8703be1 (diff) | |
| download | cryptography-848f770c4ab33e0d1cd98c78480ae32d5c5f134e.tar.gz cryptography-848f770c4ab33e0d1cd98c78480ae32d5c5f134e.tar.bz2 cryptography-848f770c4ab33e0d1cd98c78480ae32d5c5f134e.zip | |
Update documentation again to make it clearer what this is for. Moved to using Coda Hale's post.
| -rw-r--r-- | docs/conf.py | 2 | ||||
| -rw-r--r-- | docs/hazmat/primitives/constant-time.rst | 16 |
2 files changed, 10 insertions, 8 deletions
diff --git a/docs/conf.py b/docs/conf.py index c6479ef3..5092e4d3 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -257,7 +257,5 @@ texinfo_documents = [ # How to display URL addresses: 'footnote', 'no', or 'inline'. #texinfo_show_urls = 'footnote' -linkcheck_ignore = [r'http://rdist.root.org/'] - # Example configuration for intersphinx: refer to the Python standard library. intersphinx_mapping = {'http://docs.python.org/': None} diff --git a/docs/hazmat/primitives/constant-time.rst b/docs/hazmat/primitives/constant-time.rst index 4e00e9b9..4df73b3c 100644 --- a/docs/hazmat/primitives/constant-time.rst +++ b/docs/hazmat/primitives/constant-time.rst @@ -5,12 +5,16 @@ Constant time functions .. currentmodule:: cryptography.hazmat.primitives.constant_time -In order for cryptographic operations to not leak information through timing -side channels, constant time operations need to be used. +This module contains functions for operating with secret data in a way that +does not leak information about that data through how long it takes to perform +the operation. These functions should be used whenever operating on secret data +along with data that is user supplied. -One should use these functions whenever you are comparing a secret to -something received. This includes things like HMAC signatures as described by -a `timing attack on KeyCzar`_. +An example would be comparing a HMAC signature received from a client to the +one generated by the server code for authentication purposes. + +For more information about this sort of issue, see `Coda Hale's blog post`_ +about the timing attacks on KeyCzar and Java's ``MessageDigest.isEquals()``. .. function:: bytes_eq(a, b) @@ -31,4 +35,4 @@ a `timing attack on KeyCzar`_. :returns boolean: True if ``a`` has the same bytes as ``b``. -.. _`timing attack on KeyCzar`: http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ +.. _`Coda Hale's blog post`: http://codahale.com/a-lesson-in-timing-attacks/ |