keycloak-api-key icon indicating copy to clipboard operation
keycloak-api-key copied to clipboard

Published 20 hours ago verified publisher icon alefcarlos

Key Lookup Vulnerable to Timing Attacks

Open mcordingley opened this issue 3 years ago • 0 comments

Right here: https://github.com/alefcarlos/keycloak-api-key/blob/0.1.13/api-key-module/src/main/java/com/gwidgets/resources/ApiKeyResource.java#L33

Each additional correct character in the prefix of a guess will make the response take an increment longer. It's best to treat some prefix of the key as a selector that can be indexed, but the remainder should be treated as a password. As a stop-gap, it will help if you select based off of a prefix and then use a constant-time string comparison function to check the suffix.

mcordingley avatar Oct 03 '22 01:10 mcordingley