Given the following Java code: public boolean check(digest, secret) { hash = md5(secret);
if (digest.length != hash.length) { return false; } for (i = 0; i < digest.length; i++) { if (digest[i] != hash[i]) { return false; } } return true; } I’m wondering, if it’s running as some authenticated server application, if it should be considered as resistant to time attacks nowadays. I’m aware that’s not a good practice, but I’m not clear if I should consider it as exploitable over the network (on both intranet and internet scenarios). I would like to run some tests, but I’m not sure if I should follow some specific approach. Anyone has done some research recently? _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography