ApiKey comparison has timing attack vulnerability #1
Description
The current implementation of apiKey comparison has timing attack vulnerability.
The file ApiKeyMiddleware.cs current implementation is as follows:
if (!apiKey.Equals(extractedApiKey))
{
context.Response.StatusCode = 401;
await context.Response.WriteAsync("Unauthorized client");
return;
}
Should be something like:
var equals = CryptographicOperations.FixedTimeEquals(
System.Text.Encoding.UTF8.GetBytes( apiKey ),
System.Text.Encoding.UTF8.GetBytes( extractedApiKey ) );
if( !equals )
{
context.Response.StatusCode = 401;
await context.Response.WriteAsync( "Unauthorized client" );
return;
}
See:
https://en.wikipedia.org/wiki/Timing_attack
https://vcsjones.dev/fixed-time-equals-dotnet-core
https://michaelhowardsecure.blog/2019/02/22/the-dangers-of-string-comparing-passwords