Join GitHub today
Password dependent timing side channel in AuthCredentials #439
In https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/user/AuthCredentials.java#L170 passwords are hashed and then compared using java.util.Arrays.equals.
Arrays.equals seems to provide a timing side channel (tested this here), the leakage of password data should be prevented.
Note: There are tools which automate the attack, e.g.: https://github.com/aj-code/TimingIntrusionTool5000
Thanks for reporting this. We will fix this by replacing Arrays.equals() with MessageDigest.isEqual() which is time constant. Since Arrays.equals() here is used only to determine if the user credentials are cached (or not) we do not believe, as of now, that this is a real attack vector which could be exploited in the wild.