RFR: 8293779: redundant checking in AESCrypt.makeSessionKey() method [v3]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Thu Sep 15 05:34:45 UTC 2022
On Thu, 15 Sep 2022 05:21:52 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> Speaking of MessageDigest.isEqual, we don't need constant time comparison here. We could use Arrays.equals for some extra performance.
>
> Actually, never mind that. We need constant time comparison to avoid leaking information about differences between old and new key. Sorry for the noise.
@djelinski If both styles (w/o constant-time operations) get used in the code, it may take time to analysis the potential secret leaking issues for code readers until there is a clear comment. As may add additional human and maintenance cost, which may be as expensive as the computer cost, especially when something goes wrong. So normally, I prefer to constant-time operations for secret informations, no matter if the operations expose to attacking surfaces or not. Just my $.02.
-------------
PR: https://git.openjdk.org/jdk/pull/10263
More information about the security-dev
mailing list