-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: TokenProvider vulnerable to timing attacks #2095
Comments
Impressive. I knew about them, and I didn't think we were vulnerable to them. Maybe we should also check for OAuth2, and for the standard Spring Security authentication mechanism. @rwinch have you already checked this in Spring Security? |
@jdubois Thanks for calling this to my attention. Spring Security / Spring Security OAuth either uses
UPDATE If any security vulnerabilities are found within Spring Security (or Spring in general). Then please report, to security@pivotal.io as outlined at http://pivotal.io/security or ensure to select the Security Level attribute with the value of Assignee and Reporter when reporting in JIRA. |
I thought I knew Spring Security quite well, and now I see goes way beyond what I imagined!! By the way I should check the JWT support from Spring Security: I didn't know about this, it's probably better than our own custom-made solution. |
There are few examples if you want to use JWT. Migrating to JWT also solves websocket authentication issue as well. See the below examples for reference. |
Thanks @pnreddysvu -> I'll add a new ticket to migrate to JWT |
Oh, and if we migrate to JWT, then we might not have to merge this PR -> I'm putting this on hold, until we have a closer look at JWT |
The TokenProvider uses
String.equals(str)
to compare the given token-signature with a calculated one. This method uses a break-on-inequality algorithm. This makes the TokenProvider vulnerable to timing attacks, where an attacker can forge a token with any username more easily than using brute force.Coda Hale did a nice blog post on this topic
The text was updated successfully, but these errors were encountered: