5
Out of curiosity I am looking for and slow many things about cryptography and also looking for some libraries in pure PHP, such as Sodium_compat, for the sole reason that I understand much more of PHP compared to C, which is ideal for encryption, as far as I know.
However something caught my eye on following part:
/**
* Use pack() and binary operators to turn the two integers
* into hexadecimal characters. We don't use chr() here, because
* it uses a lookup table internally and we want to avoid
* cache-timing side-channels.
*/
$hex .= pack(
'CC',
(55 + $b + ((($b - 10) >> 8) & ~6)),
(55 + $c + ((($c - 10) >> 8) & ~6))
);
I just couldn’t find much information about the cache-timing
, remembering that there is the cache-timing attack
and the timing attack
, which are separate things (or not?), the second has more information.
I found this information here, which is the most summarized and there is this other reply and comment that seems to be almost the answer to this question, but I’m not sure. Even based on the comment of the code I assume the problem is that the chr()
uses some kind of "array" (that would be the lookup table internally
?) as long as the pack()
but as then the pack()
is able to convert the whole to hexadecimal?
The point is, the pack()
supposedly is not vulnerable while the chr()
has such a problem, this is not even mentioned in the PHP documentation, perhaps because it is something very specific. What’s different about the functions inside? How do they convert the integers and why can one convert "more securely than the other"? Why both are not vulnerable?
I don’t know much about cryptography (it’s something that’s been on my list to study for a while), but I believe so, the
LUT internally
is basically an array, similar to the ASCII table itself. By the comments, the function avoid using ULT precisely to make the function slower, ie, take longer to compute it. I believe this is quite useful against attacks Brute-force Attack.– Woss