https://github.com/duzun/crypt-equals
Timing attack safe string/buffer comparison
https://github.com/duzun/crypt-equals
Last synced: 2 months ago
JSON representation
Timing attack safe string/buffer comparison
- Host: GitHub
- URL: https://github.com/duzun/crypt-equals
- Owner: duzun
- License: mit
- Created: 2019-09-20T12:57:23.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2024-09-21T17:34:35.000Z (about 1 year ago)
- Last Synced: 2024-11-17T05:38:08.506Z (11 months ago)
- Language: JavaScript
- Homepage:
- Size: 188 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# crypt-equals
[](https://travis-ci.com/duzun/crypt-equals)
[](https://codecov.io/gh/duzun/crypt-equals)
Compares two strings/buffers using the same time whether they're equal or not.
This function is useful to mitigate timing attacks; for instance, when testing `crypto` password hashes.
**Note**: Both arguments must be of the same length to be compared successfully.
When arguments of differing length are supplied, `false` is returned immediately and the length of the known string may be leaked in case of a timing attack.
But in most cases size and algorithm choice are not secret.
### Install
```sh
npm i -S crypt-equals
```
### Usage
```js
const cryptEq = require('crypt-equals');
const hash1 = 'LVYtSUvPsB7BRR3m6T5DXKLD-fTsb7K5tu1-bt1QjT8';
const hash2 = 'LVYtSUvPsB7BRR3m6T5DXKLD-fTsb7K5tu1-bt1QjT8';
if (cryptEq(hash1, hash2)) {
console.log('equal hashes');
} else {
console.log('not equal hashes');
}
// Supports Buffer as well
const buf1 = Buffer.from(hash1);
const buf2 = Buffer.from(hash2);
if (cryptEq(buf1, buf2)) {
console.log('equal buffers');
} else {
console.log('not equal buffers');
}
```
### Reading
- [A beginner's guide to constant-time cryptography](https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html)