On 2/12/11 09:37 AM, Jerrie Union wrote:
I’m wondering, if it’s running as some authenticated server application, if
it should be considered as resistant to time attacks nowadays. I’m aware that’s
not a good practice, but I’m not clear if I should consider it as exploitable
over the
network (on both intranet and internet scenarios).
You're doing a digest first, so the remaining code is in the noise
level. And even if it comes back with some detectable difference,
what's it telling you? You can't look back from the bit position of the
wrong guess easily enough to make any sense of it, that's the property
of a message digest.
But if it's a worry, rewrite it?
int sum = 0;
for (i = 0; i < digest.length; i++)
sum += abs(digest[i] - hash[i]);
return (0 == sum);
(Just thinking about it, not checking it at all...)
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography