Yannic Noller created FTPSERVER-487:
---------------------------------------
Summary: Timing Side Channel
SaltedPasswordEncryptor.encrypt(String password, String salt)
Key: FTPSERVER-487
URL: https://issues.apache.org/jira/browse/FTPSERVER-487
Project: FtpServer
Issue Type: Bug
Components: Core
Affects Versions: 1.1.1
Environment: tested on macOS High Sierra 10.13.4, but it is not
relevant
Reporter: Yannic Noller
Dear Apache FTPServer developers,
We have found a timing side-channel in class
org.apache.ftpserver.usermanager.SaltedPasswordEncryptor, method "private
String encrypt(String password, String salt)". This encryption method leaks
information about the salt. The processing time in this method differs for
different salt values. Therefore, a potential attacker could retrieve
information about the generated salt, which is imporant to guess the stored
password.
Do you agree with our findings?
We identified this side-channel after fixing the one mentioned in:
[FTPSERVER-485|https://issues.apache.org/jira/browse/FTPSERVER-485]
Please feel free to contact us for further clarification! You can reach us by
the following email address: [email protected]
Best regards,
Yannic Noller
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
