SecureString比较和定时攻击 [英] SecureString Comparing and Timing Attacks
问题描述
I can not see the documentation for SecureString how to compare two strings and ensure that the compare does not suffer from Timing Attacks.
以下 文章提供了一个比较,但是从计时攻击中是不安全的
The following article provide a compare, but it is not safe from Timing Attacks
如何确保我们免受定时攻击?
How can I ensure that we are protected from Timing Attacks?
Bryan Avery
Bryan Avery
推荐答案
Bryan Avery
Hi Bryan Avery,
谢谢您在这里发布.
如果要在比较两个字符串时避免受到定时攻击,则可以c 以长度恒定的方式对两个字节的数组进行操作时间.使用此比较方法以便密码哈希不能 可以使用定时攻击从在线系统中提取出来,然后离线进行攻击.
If you want to protected from Timing Attacks when comparing two strings, you could compare two-byte arrays in length-constant time. This comparison method is used so that password hashes cannot be extracted from on-line systems using a timing attack and then attacked off-line.
private static bool SlowEquals(byte[] a, byte[] b)
{
uint diff = (uint)a.Length ^ (uint)b.Length;
for (int i = 0; i < a.Length && i < b.Length; i++)
diff |= (uint)(a[i] ^ b[i]);
return diff == 0;
}
这里有两篇不错的文章供您参考.
Here are two nice article for your reference.
http://bryanavery.co.uk/cryptography-net-avoiding- Timing-attack/#comment-85
最好的问候,
温迪
这篇关于SecureString比较和定时攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!