[
https://issues.apache.org/jira/browse/FTPSERVER-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16483998#comment-16483998
]
Jonathan Valliere commented on FTPSERVER-487:
---------------------------------------------
The only thing I can think of to resolve this would be to create a huge padded
string.
> Timing Side Channel SaltedPasswordEncryptor.encrypt(String password, String
> salt)
> ---------------------------------------------------------------------------------
>
> Key: FTPSERVER-487
> URL: https://issues.apache.org/jira/browse/FTPSERVER-487
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.1.1
> Environment: tested on macOS High Sierra 10.13.4, but it is not
> relevant
> Reporter: Yannic Noller
> Priority: Major
> Labels: security
>
> Dear Apache FTPServer developers,
> We have found a timing side-channel in class
> org.apache.ftpserver.usermanager.SaltedPasswordEncryptor, method "private
> String encrypt(String password, String salt)". This encryption method leaks
> information about the salt. The processing time in this method differs for
> different salt values. Therefore, a potential attacker could retrieve
> information about the generated salt, which is imporant to guess the stored
> password.
> Do you agree with our findings?
> We identified this side-channel after fixing the one mentioned in:
> [FTPSERVER-485|https://issues.apache.org/jira/browse/FTPSERVER-485]
> Please feel free to contact us for further clarification! You can reach us by
> the following email address: [email protected]
> Best regards,
> Yannic Noller
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
