#2 CHAP password comparison susceptible to timing attack

v1.0 (example)
open
None
5
2014-07-23
2014-07-23
mikec
No

AccessRequest.verifyChapPassword() does not use a constant time comparison of the chapHash, and so a valid chapHash could be discovered using timing attacks. Should do what org.bouncycastle.util.Arrays.constantTimeAreEqual does, or something similar.

Discussion


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks