Given the following Java code:
public boolean check(digest, secret) {
hash = md5(secret);
if (digest.length != hash.length) {
return false;
}
for (i = 0; i < digest.length; i++) {
if (digest[i] != hash[i]) {
return false;
}
}
return true;
}
I’m wondering, if it’s running as some authenticated server application, if
it should be considered as resistant to time attacks nowadays. I’m aware that’s
not a good practice, but I’m not clear if I should consider it as exploitable
over the
network (on both intranet and internet scenarios).
I would like to run some tests, but I’m not sure if I should follow some
specific
approach. Anyone has done some research recently?
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
