CWE-208
Observable Timing Discrepancy
AI Translation Available
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Status
incomplete
Abstraction
base
Affected Platforms
Extended Description
AI Translation
In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
Technical Details
AI Translation
Common Consequences
confidentiality
access control
Impacts
read application data
bypass protection mechanism
Potential Mitigations
Functional Areas
cryptography
authentication