constant time compare is not used anywhere important

Bernd Eckenfels ecki at
Wed Feb 4 21:21:30 UTC 2015


while researching on the SSL3 rsaHandshakeFix (dont ask :) I noticed
that JSSE uses Arrays.equals() in some places to compare
byte arrays with cryptographic material, at least
in one instance it does even use it to verify and reject a MAC in a
network protocol.

I am not sure if this specific instance is anyway near to beeing
relevant. Especially as I suspect there might be things
(like intrinsics) going on as this is really wrong all over
the place.

I think the openjdk code should anyway follow best practice and avoid a
optimized equals method in all crypto code.

functions working on key material, password hashes or macs:

Most likely uncritical but still in crypto code:

(there are more)

I guess all of them can be converted to MessageDigst.equals(). And as
this is branch free, it might not even be slower. (I am not sure if
an intrinsic applied here)


PS: (i know, non-comment policy but I dont really see a reason to
embargo this. Java is hardly a good candidate for safe crypto

More information about the security-dev mailing list