Bug #2395: Digest<Hash>::operator== is vulnerable to timing attack - ndn-cxx - NDN project issue tracking system

Actions

Copy link

Bug #2395

closed

Digest<Hash>::operator== is vulnerable to timing attack

Added by Junxiao Shi over 9 years ago. Updated about 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Junxiao Shi

Category:

Utils

Target version:

v0.3

Start date:

01/18/2015

Due date:

% Done:

100%

Estimated time:

Description

Digest<Hash>::operator== uses Block::operator== which uses std::equals which is not a constant-time algorithm.

Digest is often used in security related context, but a non-constant-time Digest<Hash>::operator== is vulnerable to timing attack.

Possible solutions:

either implement Digest<Hash>::operator== using a constant-time algorithm, see http://codahale.com/a-lesson-in-timing-attacks/
or add \warning This method cannot be used in security related context because it is vulnerable to timing attack to Doxygen block

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

NFD » ndn-cxx

Tags

Bug #2395

Digest<Hash>::operator== is vulnerable to timing attack

Updated by Alex Afanasyev over 9 years ago

Updated by Junxiao Shi about 9 years ago

Updated by Junxiao Shi about 9 years ago

Updated by Alex Afanasyev about 9 years ago