RavenDB Security Review: Non-Constant Time Secret Comparison

added by DotNetKicks
3/27/2018 1:02:36 PM

1 Kicks, 227 Views

So regardless of the result, we'll always do the same amount of work and won't expose details through different processing times. In general, by the way, algorithms and execution of code in cryptography attempt to avoid anything that branches on the secret information, because that leaks details to attackers.