Hi everyone,
When doing comparisons of sensitive data such as HMACS or other message digests, there are usually special functions in the language that can guarantee a constant run time. Otherwise, an attacker can gain information about the sensitive data by measuring the run time of the program.
As an example, in Java there is java.security.MessageDigest.isEqual
which should be used for that purpose.
How can I achieve such a comparison with constant run time in Kotlin? Can I somehow include the Java method in my code?
For more information regarding timing attacks, see, e.g. A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) | codahale.com