Timing safe string compare using double HMAC

Prevents timing attacks using Brad Hill's
Double HMAC pattern
to perform secure string comparison. Double HMAC avoids the timing attacks by blinding the
timing channel using random time per attempt comparison against iterative brute force attacks.

Install



npm install tsscmp-js





Why



To compare secret values like authentication tokens, passwords or

capability urls so that timing information is not

leaked to the attacker.



Example

js

import { timingSafeCompare } from "tsscmp-js";



const sessionToken = "5439fd10-e3e0-4926-a239-e95658906718";

const givenToken = "5439fd10-e3e0-4926-a239-e95658906718";



const isValid = await timingSafeCompare(sessionToken, givenToken);



if (isValid) {

  console.log("good token");

} else {

  console.log("bad token");

}

License

MIT

Credits to: @suryagh

Timing safe string compare using double HMAC

Install



npm install tsscmp-js





Why



To compare secret values like authentication tokens, passwords or

capability urls so that timing information is not

leaked to the attacker.



Example

js

import { timingSafeCompare } from "tsscmp-js";



const sessionToken = "5439fd10-e3e0-4926-a239-e95658906718";

const givenToken = "5439fd10-e3e0-4926-a239-e95658906718";



const isValid = await timingSafeCompare(sessionToken, givenToken);



if (isValid) {

  console.log("good token");

} else {

  console.log("bad token");

}

License

MIT

Credits to: @suryagh