Node: crypto.timingSafeEqual is not really time safe?

Created on 21 Nov 2017 · 3Comments · Source: nodejs/node

After trying to use crypto.timingSafeEqual with two buffers that have different length I've got an exception.

I read the docs and realized that crypto.timingSafeEqual is supporting only buffers with the same length which is contradicting the concept of timing safe compare.

The comparison code:
https://github.com/nodejs/node/blob/51e0948862f8920c0387f6702843e8fd79f24172/src/node_crypto.cc#L6065

Maybe it's worth to implement it like that: https://github.com/vadimdemedes/secure-compare/blob/master/index.js#L12

crypto question

Source

elaygl

Most helpful comment

Generally a comparison function that is resistant to timing attacks is used to compare signatures or hashes, which should be the same length by virtue of being generated by a hash function. If you are accepting a user-provided signature and want to compare it in a safe way, it's OK to check the length first and return early, e.g. return a.length === b.length && timingSafeEqual(new Buffer(a), new Buffer(b)). This doesn't reveal any information about the contents that would aid a typical attack.

See https://codahale.com/a-lesson-in-timing-attacks/ for more details (which also does a length equality check).

ryangreenberg on 3 Dec 2017

👍11

All 3 comments

See #3043, #3073 and #8040. The current behavior is the product of a stupefying amount of discussion. I think it's unlikely we'll revisit that.

As well, your suggestion is a subtle change in behavior. Too subtle, IMO - it might end up breaking applications in ways that go undetected until it's too late. That risk alone practically rules it out.