Compare passwords in constant time to avoid timing attack vulnerabilities
kpreisser opened this issue · comments
I noticed BasicAuthHandler
does a string comparison on the user's password:
Comparing passwords using a simple string.Equals
can make the code vulnerable to timing attacks, as a simple equals method will return as early as possible (when it finds the first mismatch).
Instead, for comparing passwords or other secret information, a method like CryptographicOperations.FixedTimeEquals
should be used that compares the sequences in constant time.
Additionally, I think Encoding.Default
should not be used anymore, as it depends on the OS. E.g. on Windows, it returns the language/region-specific ANSI encoding (e.g. Windows-1252
on german systems, gb2312
on chinese (simplified) systems).
Instead, it should probably be Encoding.UTF8
or Encoding.Unicode
.
Thanks!
The fix is implemented now.