Secure Byte Comparison to Prevent Timing Attacks

Snippet

Secure Byte Comparison to Prevent Timing Attacks

In security contexts like password hashing, comparing bytes must take the same amount of time regardless of whether the arrays match. A standard 'Equals' method returns early on the first mismatch, leaking information that attackers can use to guess values via timing measurements.

snippet.cs

csharp

public static bool ConstantTimeEquals(byte[] a, byte[] b)
{
    if (a.Length != b.Length) return false;
 
    int result = 0;
    for (int i = 0; i < a.Length; i++)
    {
        result |= a[i] ^ b[i];
    }
    return result == 0;
}

Breakdown

result |= a[i] ^ b[i];

Uses XOR to check for differences and bitwise OR to accumulate them without branching.

return result == 0;

Only returns true if all XOR operations resulted in zero (no differences found).

Previous snippet Next snippet

More Intermediate C# exercises →

From your library

Secure Byte Comparison to Prevent Timing Attacks

Related