Request for Comments: Timing attack safe string comparison function

• Version: 0.1
• Date: 2013-12-22
• Author: Rouven Weßling, me@rouvenwessling
• Status: Under Discussion
• First Published at: http://wiki.php.net/rfc/timing_attack

Timing attacks are not a widely recognized problem, since they require significant skill and resources of the attacker. To prevent these attacks constant-time string comparisons can be used. These implementations are rather hard to get right, without leaking timing information.

While high profile applications and frameworks already ship with time-constant string comparison functions, this RFC aims to make it simpler for PHP developers to protect their applications. Additionally there's less chance of unexpected timing differences in lower level languages.

The password_verify function implemented in PHP 5.5 already does a time-constant string comparison, however in many projects bcrypt can not be used for some reason (legacy project, interfacing with other systems, etc.), but they'd still benefit from this functionality.

Implement a new function called str_equals.

Signature bool str_equals(string knownString, string userString)

The time this function takes is based only on two variables:

• length of userString
• whether the length of knownString is zero

The latter is a slight information leak but so uncommon it shouldn't be of much concern. However this needs to be documented.

Users have to be mindful, as it is important that the user supplied string (or a hash of that string) is used as the the second parameter not the first.

None.

Next PHP 5.x

None.

• Decide on a name for the function.

Patch including tests: https://github.com/realityking/php-src/compare/timing_attack

• Add Simplified Password Hashing RFC
• Nanosecond Scale Remote Timing Attacks on PHP Applications
• Exploiting Remote Timing Attacks
• Symfony2 constant-time string comparison
• Joomla constant-time string comparison