Constant-time comparison algorithm to prevent Node.js timing attacks.
For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.
If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the
crypto module. Keep in mind that the method
crypto.timingSafeEqual only accepts
Buffers with the same length! This bundle will handle strings with different lengths for you.
$ npm install safe-compare --save
var safeCompare = require('safe-compare'); safeCompare('hello world', 'hello world'); // -> true safeCompare('hello', 'not hello'); // -> false safeCompare('hello foo', 'hello bar'); // -> false
Note: runtime is always corresponding to the length of the first parameter.
$ npm test
What's the improvement of this package?
The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.
safe-compare is released under the MIT license.