Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto.timingSafeEqual is not really time safe? #17178

Closed
elaygl opened this issue Nov 21, 2017 · 3 comments
Closed

crypto.timingSafeEqual is not really time safe? #17178

elaygl opened this issue Nov 21, 2017 · 3 comments
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers.

Comments

@elaygl
Copy link

elaygl commented Nov 21, 2017

After trying to use crypto.timingSafeEqual with two buffers that have different length I've got an exception.

I read the docs and realized that crypto.timingSafeEqual is supporting only buffers with the same length which is contradicting the concept of timing safe compare.

The comparison code:

void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {

Maybe it's worth to implement it like that: https://github.com/vadimdemedes/secure-compare/blob/master/index.js#L12

@bnoordhuis bnoordhuis added crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers. labels Nov 21, 2017
@bnoordhuis
Copy link
Member

See #3043, #3073 and #8040. The current behavior is the product of a stupefying amount of discussion. I think it's unlikely we'll revisit that.

As well, your suggestion is a subtle change in behavior. Too subtle, IMO - it might end up breaking applications in ways that go undetected until it's too late. That risk alone practically rules it out.

@ryangreenberg
Copy link

Generally a comparison function that is resistant to timing attacks is used to compare signatures or hashes, which should be the same length by virtue of being generated by a hash function. If you are accepting a user-provided signature and want to compare it in a safe way, it's OK to check the length first and return early, e.g. return a.length === b.length && timingSafeEqual(new Buffer(a), new Buffer(b)). This doesn't reveal any information about the contents that would aid a typical attack.

See https://codahale.com/a-lesson-in-timing-attacks/ for more details (which also does a length equality check).

@jaylattice
Copy link

Length checks are timing safe, because they do not depend on time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers.
Projects
None yet
Development

No branches or pull requests

4 participants