-
Notifications
You must be signed in to change notification settings - Fork 17
Secure Code Guideline
If you plan to write code that directly uses crypto routines or even plan to write your own crypto functionality, then you really MUST carefully read the following notes.
The execution time of a program routine can be a critical information when it comes to cryptography.
Code that compares a user-provided value with a reference value to check the correctness of credentials or message authentication code (MAC) MUST in any case take a constant execution time.
This code example taken from the java.security.MessageDigest.isEquals illustrates how to write a time-constant comparison:
public static boolean isEqual(byte[] digesta, byte[] digestb) {
if (digesta.length != digestb.length) {
return false;
}
int result = 0;
// time-constant comparison
for (int i = 0; i < digesta.length; i++) {
result |= digesta[i] ^ digestb[i];
}
return result == 0;
}
The length of an encrypted message can provide more information than only the length of the plain text.
Compression of external initiated messages (e.g. acknowledge messages) can leak information, if a part of the message can be chosen by the initiator (see CRIME). Since we do not want to distinguish between such messages and uncritical ones, no direct message from A to B should be compressed (i.e. drop messages).