It was added to Node.js 6.6.0 as crypto.timingSafeEqual()
.
Check if two buffers have the same bytes in constant time
$ npm install buffer-equals-constant
const bufferEqualsConstant = require('buffer-equals-constant');
bufferEqualsConstant(new Buffer('foo'), new Buffer('foo'));
//=> true
bufferEqualsConstant(new Buffer('foo'), new Buffer('bar'));
//=> false
bufferEqualsConstant(new Buffer('foo'), new Buffer('foo'), 512);
//=> true
Returns a boolean of whether a
and b
have the same bytes.
Type: Buffer
Buffer to compare.
Type: Buffer
Buffer to compare.
Type: number
Default: Math.max(a.length, b.length)
Minimal number of comparisons used to determine equality.
If the length of a
or b
depends on the input of your algorithm, a possible attacker may gain information about these lengths by varying the input:
const secret = new Buffer('secret');
bufferEqualsConstant(input, secret);
Based on the execution time of different input.length
an attacker may discover secret.length === 6
, because bufferEqualsConstant
will perform the same number of operations for all input
with 0 <= input.length <= secret.length
, but needs more operations if input.length > secret.length
.
To alleviate this problem minComp
can be used:
bufferEqualsConstant(input, new Buffer('secret'), 1024);
- buffer-equals - Node.js 0.12
buffer.equals()
ponyfill - buf-compare - Node.js 0.12
Buffer.compare()
ponyfill - buf-indexof - Node.js 4.0
buffer.indexOf()
ponyfill
MIT © Sindre Sorhus