use a constant string comparison to avoid timing attack

pyramation / totp

RFC6238 TOTP implementation in pure PostgreSQL plpgsql

MIT License

117 stars 5 forks source link

use a constant string comparison to avoid timing attack #3

Open pyramation opened 3 years ago

pyramation commented 3 years ago

as in the discussion here: https://news.ycombinator.com/item?id=26258261#26271329

- Using '=' for comparing TOTPs in the totp.verify function[1] is not safe from timing attacks.

https://github.com/pyramation/totp/blob/7ec3104/packages/totp/sql/launchql-totp--0.0.3.sql#L111

pyramation commented 3 years ago

So upon research looks like it's quite easily fixed by comparing all digits individually, and then aggregating if all all true, but continuing the iteration and checks even if a false value has been found. I suppose that would cover this case.