Re: Review Request 13252: SHA256 timing attack and brute force attack fix

Chiradeep Vittal Tue, 06 Aug 2013 15:58:26 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13252/#review24757
-----------------------------------------------------------



Can you add tests to AuthenticatorTest.java
1. authenticate('FooUser', 'FooPassword') takes as long as 
authenticate('ValidUser', 'ValidPassword') takes as long as 
authenticate('ValidUser', 'FooPassword')
2. authenticate('ValidUserWith20byteSalt', 'ValidPassword') succeeds

- Chiradeep Vittal


On Aug. 6, 2013, 9:59 p.m., Amogh Vasekar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/13252/
> -----------------------------------------------------------
> 
> (Updated Aug. 6, 2013, 9:59 p.m.)
> 
> 
> Review request for cloudstack and John Kinsella.
> 
> 
> Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-2312 and 
> https://issues.apache.org/jira/browse/CLOUDSTACK-2314
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> -------
> 
> 1. Fix timing attack by using a constant-time comparison function
> 2. Increase salt size
> 3. Make flow for invalid user go through full normal execution using a fake 
> password and salt
> 
> 
> Diffs
> -----
> 
>   
> plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java
>  da939273ea10bff3b2687c9684edf8a5d0ab4b2e 
> 
> Diff: https://reviews.apache.org/r/13252/diff/
> 
> 
> Testing
> -------
> 
> Local environment
> 
> 
> Thanks,
> 
> Amogh Vasekar
> 
>

Re: Review Request 13252: SHA256 timing attack and brute force attack fix

Reply via email to