You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Thomas Mueller (JIRA)" <ji...@apache.org> on 2014/03/26 11:16:15 UTC
[jira] [Created] (OAK-1616) Password utility: prevent timing
attacks
Thomas Mueller created OAK-1616:
-----------------------------------
Summary: Password utility: prevent timing attacks
Key: OAK-1616
URL: https://issues.apache.org/jira/browse/OAK-1616
Project: Jackrabbit Oak
Issue Type: Improvement
Components: security
Reporter: Thomas Mueller
Assignee: Thomas Mueller
Priority: Minor
Fix For: 0.20
Currently, password hashes are compared by looping over the hash and stopping on the first mismatch. In theory an attacker can launch a timing attack.
I don't think it's a problem by itself in practice, but it might in combination with other issues. For example, if the hash algorithm is somewhat broken, or the salt is known to the attacker.
But anyway, it's easy to fix, so I think it should be fixed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)