From 62a8e8c119e6da84949b7543cbd8cee943d0b034 Mon Sep 17 00:00:00 2001 From: Athou Date: Wed, 13 Aug 2014 17:08:42 +0200 Subject: [PATCH] prevent timing attacks by using a time-constant comparison algorithm --- .../commafeed/backend/service/PasswordEncryptionService.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/commafeed/backend/service/PasswordEncryptionService.java b/src/main/java/com/commafeed/backend/service/PasswordEncryptionService.java index 48f7736f..65087d38 100644 --- a/src/main/java/com/commafeed/backend/service/PasswordEncryptionService.java +++ b/src/main/java/com/commafeed/backend/service/PasswordEncryptionService.java @@ -1,10 +1,10 @@ package com.commafeed.backend.service; import java.io.Serializable; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.security.spec.KeySpec; -import java.util.Arrays; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; @@ -30,7 +30,7 @@ public class PasswordEncryptionService implements Serializable { // Authentication succeeds if encrypted password that the user entered // is equal to the stored hash - return Arrays.equals(encryptedPassword, encryptedAttemptedPassword); + return MessageDigest.isEqual(encryptedPassword, encryptedAttemptedPassword); } public byte[] getEncryptedPassword(String password, byte[] salt) {