Constant-time comparison algorithm to prevent Node.js timing attacks.
For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.
NOTICE:
If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the crypto
module. Keep in mind that the method crypto.timingSafeEqual
only accepts Buffer
s with the same length! This bundle will handle strings with different lengths for you.
$ npm install safe-compare --save
var safeCompare = require('safe-compare');
safeCompare('hello world', 'hello world'); // -> true
safeCompare('hello', 'not hello'); // -> false
safeCompare('hello foo', 'hello bar'); // -> false
Note: runtime is always corresponding to the length of the first parameter.
$ npm test
This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.
The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.
safe-compare is released under the MIT license.