Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2814

Update UnixSHACryptPasswordImpl to make use of MessageDigest#isEqual to avoid a potential timing attack

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • 2.6.1.CR1
    • None
    • None

      There are 2 places in UnixSHACryptPasswordImpl where Arrays#equals is currently used.

      Arrays#equals is vulnerable to timing attacks because it uses a non time-constant comparison.

      MessageDigest#isEqual uses a time-constant comparison which means that all bytes in the arrays will be compared.

      Update UnixSHACryptPasswordImpl so that it uses the MessageDigest#isEqual method instead of Arrays#equals.

              luisaball Luisa Ball (Inactive)
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: