Closed manooi closed 6 months ago
- Why does it use
userInputLength
intead ofsecretLength
when allocatingsecretBuffer
?
Because this way, the runtime behaviour of the function will only depend on the input and not on the secret, securing a possible attack vector to sniff for the length of the secret via statistical analysis etc
- Why does it use bitwise
&
instead of the logical&&
?
Because &&
shortcuts if the first condition is false, making the timing depend on the conditions being true or false. &
does not shortcut and will always evaluate both sides. This helps against timing attacks again (and is also why the README says to use &
on the consumer side as well).
Thanks 🙏
Hi,
I use this library to secure my NestJS Swagger endpoints, and it works great! I wanted to see how it works by digging around in the source code, and I found something that seemed odd to me.
Here're my questions: -
userInputLength
intead ofsecretLength
when allocatingsecretBuffer
?&
instead of the logical&&
?Thanks