Preventing Timing Attacks with crypto

Snippet

Preventing Timing Attacks with crypto

When comparing secrets like API keys, standard equality operators (===) return early as soon as a mismatch is found. This allows attackers to measure the time taken to guess the key. timingSafeEqual ensures the comparison always takes the same amount of time.

snippet.js
javascript
const crypto = require('crypto');
 
function verifySecret(input, actual) {
  const inputBuffer = Buffer.from(input);
  const actualBuffer = Buffer.from(actual);
 
  if (inputBuffer.length !== actualBuffer.length) {
    return false;
  }
  return crypto.timingSafeEqual(inputBuffer, actualBuffer);
}

nodejs

Breakdown

crypto.timingSafeEqual(inputBuffer, actualBuffer);

Performs a constant-time comparison of two buffers to prevent side-channel timing analysis.

Previous snippet Next snippet

More Intermediate JavaScript exercises →

From your library

Preventing Timing Attacks with crypto

Related