368 – Use of indistinguishable response time

Summary

Response time of authentication probes should be indistinguishable whether an user exists or not.

Description

This requirement aims to ensure that, regardless of the input or conditions, the response time of a system remains indistinguishable. By carefully measuring response times, an attacker may infer details about the internal operations of a system, and maybe exposing sensitive information.

Supported In

Advanced: True

References

• CWE-208. Observable timing discrepancy
• NIST800171-5_4. Employ replay-resistant authentication mechanisms

Last updated

2024/01/18