Experiments for more secure CBC mode
Extends cryptonite hash
implementations in order to process CBC-padded messages in constant time.
The diagram below compares the original implementation of CBC-mode present intls with a constant-time implementation. Execution time is displayed for
several padding lengths, keeping the total length constant.
duration in µs, full criterion report
Notes:
To make the benchmark code simpler, some elements of the implementation were
removed to focus only on CBC padding. Instead of authenticating with HMAC,
the code only tests integrity with the hash algorithm alone.
Parameters are as follows: integrity with SHA-256, message length of 16384
bytes, padding between 0 and 255 bytes, TLS padding validation.
New code still contains a small timing leak due to excessive reliance onBool constructors. An expression like digestValid &&! paddingValid
requires separate branching for both boolean conditions instead of a global
branch to handle the final the result. This is minor and can be resolved by
replacing the intermediate Bool values with a datatype like newtype
CryptoBool = CryptoBool Word and using arithmetic AND operator. Currently
the code still uses constEq from module Data.ByteArray which returns aBool.