https://github.com/tonysantana1492/tsscmp-js
Timing safe string compare using double HMAC
https://github.com/tonysantana1492/tsscmp-js
Last synced: 8 months ago
JSON representation
Timing safe string compare using double HMAC
- Host: GitHub
- URL: https://github.com/tonysantana1492/tsscmp-js
- Owner: tonysantana1492
- License: mit
- Created: 2024-03-23T19:46:38.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-03-23T20:08:30.000Z (over 1 year ago)
- Last Synced: 2024-04-24T13:27:35.653Z (over 1 year ago)
- Language: TypeScript
- Size: 20.5 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Timing safe string compare using double HMAC
Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's
[Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/)
to perform secure string comparison. Double HMAC avoids the timing attacks by blinding the
timing channel using random time per attempt comparison against iterative brute force attacks.## Install
```
npm install tsscmp-js
```## Why
To compare secret values like **authentication tokens**, **passwords** or
**capability urls** so that timing information is not
leaked to the attacker.## Example
```js
import { timingSafeCompare } from "tsscmp-js";const sessionToken = "5439fd10-e3e0-4926-a239-e95658906718";
const givenToken = "5439fd10-e3e0-4926-a239-e95658906718";const isValid = await timingSafeCompare(sessionToken, givenToken);
if (isValid) {
console.log("good token");
} else {
console.log("bad token");
}
```## License
[MIT](LICENSE)
**Credits to:** [@suryagh](https://github.com/suryagh)