logo

Observable Timing Discrepancy

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct.

Extended Description

Timing discrepancies act as a side channel, leaking information through the back door of performance. Even tiny, millisecond differences in response times can be statistically analyzed by an attacker to map out internal application logic, bypassing intended security controls. This is especially dangerous in authentication, authorization, and cryptographic functions where a 'fast fail' for an incorrect input can reveal its validity. To exploit this, attackers don't need direct access to error messages or data—they simply measure how long operations take. For example, a string comparison that stops at the first mismatched character will return faster for a wrong password starting with an incorrect letter than for one starting with the correct letter. Over many requests, this allows an attacker to gradually infer secrets, piece by piece, by observing which operations take longer to complete.
Common Consequences 1
Scope: ConfidentialityAccess Control

Impact: Read Application DataBypass Protection Mechanism
Demonstrative Examples 2

ID : DX-173

Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.

Code Example:

Bad
Verilog

always_comb @ (posedge clk)

begin

verilog
Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts.
To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set.

Code Example:

Good
Verilog

always_comb @ (posedge clk) begin

verilog

ID : DX-193

In this example, the attacker observes how long an authentication takes when the user types in the correct password.
When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses.

Code Example:

Bad
Python
python
Note that in this example, the actual password must be handled in constant time as far as the attacker is concerned, even if the actual password is of an unusual length. This is one reason why it is good to use an algorithm that, among other things, stores a seeded cryptographic one-way hash of the password, then compare the hashes, which will always be of the same length.
Observed Examples 9
CVE-2019-10071Java-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
CVE-2019-10482Smartphone OS uses comparison functions that are not in constant time, allowing side channels
CVE-2014-0984Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.
CVE-2003-0078SSL implementation does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
CVE-2000-1117Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method.
CVE-2003-0637Product uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing.
CVE-2003-0190Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
CVE-2004-1602FTP server responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.
CVE-2005-0918Browser allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Attack Patterns
Functional Areas
  1. Cryptography
  2. Authentication
Related Weaknesses
ChildOf: Observable Discrepancy (CWE-203)
CanPrecede: Covert Timing Channel (CWE-385)
CanPrecede: Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipOften primary in cryptographic applications and algorithms.
MaintenanceCWE 4.16 removed a demonstrative example for a hardware module because it was inaccurate and unable to be adapted. The CWE team is developing an alternative.