view release on metacpan or  search on metacpan

lib/Authen/Passphrase.pm  view on Meta::CPAN

side-channel-resistant cryptography, so hardening Authen-Passphrase and
its underlying algorithms is not feasible.  In any serious use of Perl
for cryptography, including for authentication using Authen-Passphrase,
an analysis should be made of the exposure to side-channel attacks,
and if necessary efforts made to further blunt the timing channel.

One timing attack that is very obviously feasible over the network is to
determine which of several passphrase hashing algorithms is being used.
This can potentially distinguish between classes of user accounts,
or distinguish between existing and non-existing user accounts when an
attacker is guessing usernames.  To obscure this information requires
an extreme restriction of the timing channel, most likely by explicitly
pausing to standardise the amount of time spent on authentication.
This defence also rules out essentially all other timing attacks.

=head1 PASSPHRASE ENCODINGS

Because hashed passphrases frequently need to be stored, various encodings
of them have been devised.  This class has constructors and methods to
support these.