You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Thomas Mueller (JIRA)" <ji...@apache.org> on 2014/03/26 11:16:15 UTC

[jira] [Created] (OAK-1616) Password utility: prevent timing attacks

Thomas Mueller created OAK-1616:
-----------------------------------

             Summary: Password utility: prevent timing attacks
                 Key: OAK-1616
                 URL: https://issues.apache.org/jira/browse/OAK-1616
             Project: Jackrabbit Oak
          Issue Type: Improvement
          Components: security
            Reporter: Thomas Mueller
            Assignee: Thomas Mueller
            Priority: Minor
             Fix For: 0.20


Currently, password hashes are compared by looping over the hash and stopping on the first mismatch. In theory an attacker can launch a timing attack.

I don't think it's a problem by itself in practice, but it might in combination with other issues. For example, if the hash algorithm is somewhat broken, or the salt is known to the attacker. 

But anyway, it's easy to fix, so I think it should be fixed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)