Timing oracle that is likely exploitable to forge MACs

pcibraro / hawknet

Hawk protocol implementation for .NET

MIT License

114 stars 35 forks source link

Closed jbtule closed 11 years ago

jbtule commented 11 years ago

            if (!mac.Equals(attributes["mac"]))
            {
                throw new SecurityException("Bad mac");
            }

This is a well known implementation mistake. You should use a constant time comparison.