Tsse NPM | npm.io

2.1.0 • Published 2 years ago

Install

Weekly downloads

2,801

License

MIT

Repository

Last release

2 years ago

Synopsis

tsse is a string comparison algorithm to prevent Node.js timing attacks.

This differs from crypto.timingSafeEqual because it:
supports both strings and Buffers;
supports inputs of different lengths.

Install

$ npm install --save tsse

Usage

const tsse = require('tsse');

const hash      = '0a4d55a8d778e5022fab701977c5d840bbc486d0';
const givenHash = '1265a5eb08997ced279d3854629cba68a378b528';

if (tsse(hash, givenHash)) {
  console.log('good hash');
} else {
  console.log('bad hash');
}
// => bad hash

API

tsse(hiddenStr, inputStr) ⇒ boolean

Does a constant-time String comparison.
NOTE: When hiddenStr and inputStr have different lengths hiddenStr is compared to itself, which makes the comparison non-commutative (time-wise).

Kind: global function
Returns: boolean - true if equals, false otherwise.
Access: public

Param	Type	Description
hiddenStr	string \| Buffer	A string that you don't want to leak.
inputStr	string \| Buffer	Another string.

Contributing

Contributions are REALLY welcome and if you find a security flaw in this code, PLEASE report it.

Authors

Simone Primarosa - Github (@simonepri) • Twitter (@simoneprimarosa)

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the license file for details.

tse tsse tsscmp scmp cmp safe timing string comparison constant time equals equal compare

@infinitebrahmanuniverse/nolb-tss @everything-registry/sub-chunk-2983 pbkdf2-crypt phc-argon2 phc-bcrypt dat-store credential-plus-pbkdf2 @cretezy/phc-scrypt @cretezy/scrypt @phc/argon2 @phc/bcrypt @phc/pbkdf2 @phc/scrypt

2 years ago

4 years ago

6 years ago

6 years ago

7 years ago

7 years ago

7 years ago

7 years ago

7 years ago

7 years ago