Differences

This shows you the differences between two versions of the page.

--- rfc:timing_attack [2013/12/22 17:02] – created realityking
+++ rfc:timing_attack [2013/12/23 16:45] – realityking
@@ Line 1: / Line 1: @@
 ====== Request for Comments: Timing attack safe string comparison function ======
-  * Version: 0.1
+  * Version: 0.2
   * Date: 2013-12-22
   * Author: Rouven Weßling, me@rouvenwessling
@@ Line 17: / Line 17: @@
 ===== Proposal =====
-Implement a new function called str_equals.
+Implement a new function called hash_compare.
-Signature bool str_equals(string knownString, string userString)
+Signature bool hash_compare(string knownString, string userString)
-The time this function takes is based only on two variables:
+The time this function takes is based only on the length of the user supplied string.
-* length of userString
-* whether the length of knownString is zero
-The latter is a slight information leak but so uncommon it shouldn't be of much concern. However this needs to be documented.
 Users have to be mindful, as it is important that the user supplied string (or a hash of that string) is used as the the second parameter not the first.
@@ Line 43: / Line 39: @@
 ===== Open Issues =====
-* Decide on a name for the function.
+  * Decide on a name for the function.
 ===== Patches and Tests =====
@@ Line 56: / Line 52: @@
   * [[https://github.com/symfony/security-core/blob/master/Util/StringUtils.php#L36|Symfony2 constant-time string comparison]]
   * [[https://github.com/joomla/joomla-cms/blob/master/libraries/joomla/crypt/crypt.php#L262|Joomla constant-time string comparison]]
+  * [[https://github.com/zendframework/zf2/blob/master/library/Zend/Crypt/Utils.php#L17|Zend Framework 2 constant-time string comparison]]
+===== Changelog =====
+  * 0.1 Initial publication
+  * 0.2 Renamed to hash_compare, added link to Zend Framework 2, removed information leak when knownString is empty (Thank you Tjerk)

Differences

Page Tools