safe-compare

Constant-time comparison algorithm to prevent Node.js timing attacks.

For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.

NOTICE:

If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the crypto module. Keep in mind that the method crypto.timingSafeEqual only accepts Buffers with the same length! This bundle will handle strings with different lengths for you.

Installation

$ npm install safe-compare --save

Usage

var safeCompare = require('safe-compare');
 
safeCompare('hello world', 'hello world'); // -> true
 
safeCompare('hello', 'not hello'); // -> false
safeCompare('hello foo', 'hello bar'); // -> false

Note: runtime is always corresponding to the length of the first parameter.

Tests

$ npm test

What's the improvement of this package?

This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.

The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.

License

safe-compare is released under the MIT license.