boot-stateless-auth icon indicating copy to clipboard operation
boot-stateless-auth copied to clipboard
verified publisher icon robbertvanwaveren

Timing attack vulnerability

Open moparisthebest opened this issue 8 years ago • 0 comments

This should not use Arrays.equals: https://github.com/Robbert1/boot-stateless-auth/blob/master/src/main/java/com/jdriven/stateless/security/TokenHandler.java#L41

Instead it should use a constant time equality checking method like

public static boolean isEqual(byte[] a, byte[] b) {
    if (a.length != b.length) {
        return false;
    }

    int result = 0;
    for (int i = 0; i < a.length; i++) {
      result |= a[i] ^ b[i];
    }
    return result == 0;
}

Which is from https://codahale.com/a-lesson-in-timing-attacks/ which gives a good explanation of this exact vulnerability.

This seems like a popular article and code, I'd hate to see people using it in production in it's current vulnerable state, can you fix the article and code?

moparisthebest avatar Mar 28 '17 18:03 moparisthebest