[cryptography] Digest comparison algorithm

Jerrie Union jerrieunion at gmail.com
Thu Dec 1 17:37:22 EST 2011

Given the following Java code:

public boolean check(digest, secret) {                                                                 
      hash = md5(secret);                                                                             

      if (digest.length != hash.length)  {                                                            
        return false;                                                                                 

      for (i = 0; i < digest.length; i++) {                                                       
        if (digest[i] != hash[i]) {                                                                   
              return false;                                                                           
      return true;                                                                                    

I’m wondering, if it’s running as some authenticated server application, if 
it should be considered as resistant to time attacks nowadays. I’m aware that’s
not a good practice, but I’m not clear if I should consider it as exploitable over the
network (on both intranet and internet scenarios). 

I would like to run some tests, but I’m not sure if I should follow some specific
approach. Anyone has done some research recently?

More information about the cryptography mailing list