You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Instead it should use a constant time equality checking method like
public static boolean isEqual(byte[] a, byte[] b) {
if (a.length != b.length) {
return false;
}
int result = 0;
for (int i = 0; i < a.length; i++) {
result |= a[i] ^ b[i];
}
return result == 0;
}
This seems like a popular article and code, I'd hate to see people using it in production in it's current vulnerable state, can you fix the article and code?
The text was updated successfully, but these errors were encountered:
This should not use Arrays.equals:
https://github.com/Robbert1/boot-stateless-auth/blob/master/src/main/java/com/jdriven/stateless/security/TokenHandler.java#L41
Instead it should use a constant time equality checking method like
Which is from https://codahale.com/a-lesson-in-timing-attacks/ which gives a good explanation of this exact vulnerability.
This seems like a popular article and code, I'd hate to see people using it in production in it's current vulnerable state, can you fix the article and code?
The text was updated successfully, but these errors were encountered: