CODEWITHSUNDEEP
javascriptnode.jssecurity
Peter Dotchev
Peter Dotchev

Reputation: 3068

Is string comparison really insecure?

Some suggest that using simple string comparison to match passwords is insecure due to timing attacks. For example see this question. Well, I tried to measure the time difference between two password guesses in node.js. Here is the code:

const pass   = '................................................................';
const guess1 = '..X.............................................................';
const guess2 = '.............................................................X..';

function ns(hrtime) {
  return hrtime[0] * 1e9 + hrtime[1];
}

test(guess1);
test(guess2);
test(guess1);
test(guess2);
test(guess1);
test(guess2);
test(guess1);
test(guess2);
test(guess1);
test(guess2);
test(guess1);
test(guess2);

function test(guess) {
  const start = process.hrtime();
  for (let i = 0; i < 1e5; ++i) {
    if (guess === pass) throw new Error('HIT');
  }
  const time = ns(process.hrtime(start));
  console.log('%d ns %s', time, guess);
}

Here is the result from one execution on my machine:

2073045 ns ..X.............................................................
58420 ns .............................................................X..
57778 ns ..X.............................................................
57468 ns .............................................................X..
57554 ns ..X.............................................................
57436 ns .............................................................X..
57589 ns ..X.............................................................
57798 ns .............................................................X..
57798 ns ..X.............................................................
57506 ns .............................................................X..
57969 ns ..X.............................................................
57974 ns .............................................................X..

There seems to be no correlation between the time and the different password guesses. Am I doing something wrong or there is really no measurable time difference?

Upvotes: 2

Views: 366

Answers (1)

Jonas Wilms
Jonas Wilms

Reputation: 138267

1) I hope you're hashing the passwords securely. That means one may time how close the hashes are to each other. As long as the hashing function is safe that's not helpful at all.

2) There's a difference between measuring directly on the machine and a real world attack. When an attacker times a request that will include the network's latency as well as node.js latency. If we're talking about nanoseconds, no one will notice any difference.

Upvotes: 2

Related Questions