Timing safe string compare using double hmac

Prevents timing attacks using Brad Hill's Double HMAC pattern from to perform safe string comparison. The approach is similar to the node's native implementation of timing safe buffer comparison that will be available on v6+.

Double HMAC avoids the timing atacks by blinding the timing channel using random time per attempt comparison against iterative brute force attacks.

Install

npm install timing-safe-compare

Why?

To minimize vulnerability against timing attacks during string comparision.

Examples

var timingSafeCompare = require('timing-safe-compare');

var sessionToken = '127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 ';
var givenToken = '127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 ';

if (timingSafeCompare(sessionToken, givenToken)) {
  console.log('good token');
} else {
  console.log('bad token');
}