Timing attack vulnerability #7
Description
This should not use Arrays.equals:
https://github.com/Robbert1/boot-stateless-auth/blob/master/src/main/java/com/jdriven/stateless/security/TokenHandler.java#L41
Instead it should use a constant time equality checking method like
public static boolean isEqual(byte[] a, byte[] b) {
if (a.length != b.length) {
return false;
}
int result = 0;
for (int i = 0; i < a.length; i++) {
result |= a[i] ^ b[i];
}
return result == 0;
}
Which is from https://codahale.com/a-lesson-in-timing-attacks/ which gives a good explanation of this exact vulnerability.
This seems like a popular article and code, I'd hate to see people using it in production in it's current vulnerable state, can you fix the article and code?