safe-compare
Constant-time comparison algorithm to prevent Node.js timing attacks.
For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.
NOTICE:
If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the crypto module. Keep in mind that the method crypto.timingSafeEqual only accepts Buffers with the same length! This bundle will handle strings with different lengths for you.
Installation
$ npm install safe-compare --save
Usage
var safeCompare = require('safe-compare');
safeCompare('hello world', 'hello world'); // -> true
safeCompare('hello', 'not hello'); // -> false
safeCompare('hello foo', 'hello bar'); // -> falseNote: runtime is always corresponding to the length of the first parameter.
Tests
$ npm test
What's the improvement of this package?
This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.
The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.
License
safe-compare is released under the MIT license.
