Constant-time Comparisons for Cryptographic Integrity

Snippet

Constant-time Comparisons for Cryptographic Integrity

Standard equality operators (==, ===) return as soon as a mismatch is found. This allows attackers to use 'timing attacks' to guess a secret byte-by-byte by measuring response times. timingSafeEqual ensures the comparison always takes the same amount of time regardless of where the mismatch occurs.

snippet.js

javascript

import { timingSafeEqual } from 'node:crypto';
 
function verifyToken(input, actual) {
  const inputBuf = Buffer.from(input);
  const actualBuf = Buffer.from(actual);
 
  if (inputBuf.length !== actualBuf.length) {
    return false;
  }
 
  return timingSafeEqual(inputBuf, actualBuf);
}

nodejs

Breakdown

import { timingSafeEqual } from 'node:crypto';

Imports the specialized comparison function from Node's crypto module.

const inputBuf = Buffer.from(input);

Converts strings to Buffers as the function requires Buffer or TypedArray inputs.

if (inputBuf.length !== actualBuf.length)

Pre-check length; timingSafeEqual throws an error if buffer lengths differ.

return timingSafeEqual(inputBuf, actualBuf);

Executes a constant-time comparison to prevent side-channel leakage.

Previous snippet Next snippet

More Expert JavaScript exercises →

From your library

Constant-time Comparisons for Cryptographic Integrity

Related