qxmpp icon indicating copy to clipboard operation
qxmpp copied to clipboard

Published 20 hours ago verified publisher icon qxmpp-project

OMEMO - Timing Side-Channel in HMAC Comparison

Open soatok opened this issue 6 months ago • 2 comments

Originally disclosed here.

https://github.com/qxmpp-project/qxmpp/blob/94232e798de18099322bee71400f246c9193047a/src/omemo/QXmppOmemoManager_p.cpp#L1766

Explainers:

  1. https://soatok.blog/2020/08/27/soatoks-guide-to-side-channel-attacks/
  2. https://security.stackexchange.com/a/74552

This defect is a problem with the OMEMO specification. It should have called out the specific steps that implementors follow to prevent this sort of side-channel attack.

soatok avatar Aug 10 '24 18:08 soatok