[cryptography] Digest comparison algorithm

Alfonso De Gregorio adg at crypto.lo.gy
Thu Dec 1 18:04:01 EST 2011


On Thu, Dec 1, 2011 at 11:37 PM, Jerrie Union <jerrieunion at gmail.com> wrote:
>
> Given the following Java code:
>
> public boolean check(digest, secret) {
>      hash = md5(secret);
>
>      if (digest.length != hash.length)  {
>        return false;
>      }
>
>      for (i = 0; i < digest.length; i++) {
>        if (digest[i] != hash[i]) {
>              return false;
>        }
>      }
>
>      return true;
> }
>
> I’m wondering, if it’s running as some authenticated server application, if
> it should be considered as resistant to time attacks nowadays. I’m aware that’s
> not a good practice, but I’m not clear if I should consider it as exploitable over the
> network (on both intranet and internet scenarios).

You should.

The code above leaks timing information and becomes exploitable, given
enough measurements.

(also, consider not storing the secret in plaintext)

> I would like to run some tests, but I’m not sure if I should follow some specific
> approach. Anyone has done some research recently?

Sebastian Schinzel. Presenting his research on December 28th, at 28C3:
Time is on my Side - exploiting timing side channel vulnerabilities on
the web: http://events.ccc.de/congress/2011/Fahrplan/events/4640.en.html

Cheers,

-- alfonso     blogs at http://Plaintext.crypto.lo.gy   tweets @secYOUre



More information about the cryptography mailing list