Timing Attack Vulnerability
Closed this issue · 1 comments
paragonie-scott commented
http://www.openwall.com/lists/oss-security/2016/01/24/10
- https://github.com/RNCryptor/RNCryptor-Spec/blob/04378bc27c604e97353badbead8c435698abe97a/RNCryptor-Spec-v3.md#consistent-time-equality-checking
- https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time
- http://blog.ircmaxell.com/2014/11/its-all-about-time.html
Problematic line:
ruby_rncryptor/lib/ruby_rncryptor.rb
Line 27 in 5fff939
timestretch commented
Thanks for the report! I just pushed v3.0.1 which uses the eql_time_cmp method from the openssl docs.