1.0.2 • Published 1 month ago

tsscmp-js v1.0.2

Weekly downloads
-
License
MIT
Repository
github
Last release
1 month ago

Timing safe string compare using double HMAC

Prevents timing attacks using Brad Hill's Double HMAC pattern to perform secure string comparison. Double HMAC avoids the timing attacks by blinding the timing channel using random time per attempt comparison against iterative brute force attacks.

Install

npm install tsscmp-js

Why

To compare secret values like authentication tokens, passwords or capability urls so that timing information is not leaked to the attacker.

Example

import { timingSafeCompare } from "tsscmp-js";

const sessionToken = "5439fd10-e3e0-4926-a239-e95658906718";
const givenToken = "5439fd10-e3e0-4926-a239-e95658906718";

const isValid = await timingSafeCompare(sessionToken, givenToken);

if (isValid) {
  console.log("good token");
} else {
  console.log("bad token");
}

License

MIT

Credits to: @suryagh

timing safe string comparedouble hmac string comparesafe string comparehmac
1.0.2

1 month ago

1.0.1

1 month ago

1.0.0

1 month ago