Timing Leaks in authenticate()

[sarciszewski]

Example snippet

It appears that OAuth2 backends are using database lookups to validate access tokens. While relational databases are great for performant lookups, they're not so great for comparing cryptographic secrets without leaking timing information. To wit:

• http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/
• http://www.computerworld.com/article/2519195/security0/researchers--authentication-crack-could-affect-millions.html
• http://codahale.com/a-lesson-in-timing-attacks/
• http://matasano.com/research/TimeTrial.pdf
• https://github.com/dmayer/time_trial

A Python function that addresses this has already been written in the EFF's OpenWireless project

[blag]

This project is dead. Please see #119 (comment) for more information.