add constant time compare function to mitigate timing attacks

shawnmclean · Oct 9, 2013 · de6aa4e · de6aa4e · mikegoatly · Jul 18, 2014
1 parent 8d107c8
commit de6aa4e
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -33,7 +33,8 @@ Hash Password Example:
 	            
     //validate user
     //compare the password (this should be true since we are rehashing the same password and using the same generated salt)
-    bool isPasswordValid = cryptoService.Compute(password, salt) == hashedPassword;
+    string hashedPassword2 = cryptoService.Compute(password, salt);
+    bool isPasswordValid = cryptoService.Compare(hashedPassword, hashedPassword2);
 
 Generate Random Password Example:
 

diff --git a/src/Interfaces/ICryptoService.cs b/src/Interfaces/ICryptoService.cs
@@ -86,5 +86,12 @@ public interface ICryptoService
         /// <param name="iteration"></param>
         /// <returns></returns>
         int GetElapsedTimeForIteration(int iteration);
+
+        /// <summary>
+        /// Compare the passwords for equality
+        /// <param name="passwordHash1">The first password hash to compare</param>
+        /// <param name="passwordHash2">The second password hash to compare</param>
+        /// <returns>true: indicating the password hashes are the same, false otherwise.</param>
+        bool Compare(string passwordHash1, string passwordHash2);
     }
 }
diff --git a/src/PBKDF2.cs b/src/PBKDF2.cs
@@ -208,6 +208,24 @@ private void expandSalt()
             }
         }
 
-
+        /// <summary>
+        /// Compare password hashes for equality. Uses a constant time comparison method.
+        /// </summary>
+        /// <param name="passwordHash1"></param>
+        /// <param name="passwordHash2"></param>
+        /// <returns></returns>
+        public bool Compare(string passwordHash1, string passwordHash2)
+        {
+            if (passwordHash1 == null || passwordHash2 == null)
+                return false;
+
+            int min_length = Math.Min(passwordHash1.Length, passwordHash2.Length);
+            int result = 0;
+
+            for(int i = 0; i < min_length; i++)
+                result |= passwordHash1[i] ^ passwordHash2[i];
+
+            return 0 == result;
+        }
     }
 }
diff --git a/tests/PBKDF2Tests.cs b/tests/PBKDF2Tests.cs
@@ -1,4 +1,5 @@
-using System;
+using System;
+using System.Diagnostics;
 using NUnit.Framework;
 
 namespace SimpleCrypto.Tests
@@ -164,5 +165,21 @@ public void Generate_Salt_Sets_Salt_Property()
 
             Assert.AreEqual(crypto.Salt, salt, "The returned salt is not the salt set as parameter");
         }
+
+        [Test]
+        public void Comparison_To_Same_Hash_Returns_True()
+        {
+            var crypto = CreateICryptoService();
+
+            var hash1 = crypto.Compute("password");
+            var salt = crypto.Salt;
+
+            var hash2 = crypto.Compute("password", salt);
+
+            Assert.IsTrue(crypto.Compare(hash1, hash2), "Hash comparison fails");
+
+            var hash3 = crypto.Compute("pasw1rd", salt);
+            Assert.IsFalse(crypto.Compare(hash1, hash3), "Hash comparison should fail but didn't");
+        }
     }
 }