Observable Timing Discrepancy (Timing Attack)

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.

https://geti2p.net

Other

1.93k stars 303 forks source link

Observable Timing Discrepancy (Timing Attack) #65

Open s-b-repo opened 9 months ago

s-b-repo commented 9 months ago

    return digestHexCache;
}

public boolean digestEquals(byte[] otherDigest) {
    return Arrays.equals(digest, otherDigest);

An attacker can guess the secret value of digest because it is compared using java.util.Arrays.equals, which is vulnerable to timing attacks. Use java.security.MessageDigest.isEqual to compare values securely. line:154 /core/java/src/org/minidns/record/DelegatingDnssecRR.java#L154)

eyedeekay commented 9 months ago

Definitely worth considering this change. Thanks for the report. I'll evaluate it and when I have decided on the change I'll reply here.

s-b-repo commented 9 months ago

no problem