1 # Timing safe string compare using double HMAC
3 [![Node.js Version](https://img.shields.io/node/v/tsscmp.svg?style=flat-square)](https://nodejs.org/en/download)
4 [![npm](https://img.shields.io/npm/v/tsscmp.svg?style=flat-square)](https://npmjs.org/package/tsscmp)
5 [![NPM Downloads](https://img.shields.io/npm/dm/tsscmp.svg?style=flat-square)](https://npmjs.org/package/tsscmp)
6 [![Build Status](https://img.shields.io/travis/suryagh/tsscmp/master.svg?style=flat-square)](https://travis-ci.org/suryagh/tsscmp)
7 [![Build Status](https://img.shields.io/appveyor/ci/suryagh/tsscmp/master.svg?style=flat-square&label=windows)](https://ci.appveyor.com/project/suryagh/tsscmp)
8 [![Dependency Status](http://img.shields.io/david/suryagh/tsscmp.svg?style=flat-square)](https://david-dm.org/suryagh/tsscmp)
9 [![npm-license](http://img.shields.io/npm/l/tsscmp.svg?style=flat-square)](LICENSE)
12 Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's
13 [Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/)
14 to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the
15 timing channel using random time per attempt comparison against iterative brute force attacks.
24 To compare secret values like **authentication tokens**, **passwords** or
25 **capability urls** so that timing information is not
26 leaked to the attacker.
31 var timingSafeCompare = require('tsscmp');
33 var sessionToken = '127e6fbfe24a750e72930c';
34 var givenToken = '127e6fbfe24a750e72930c';
36 if (timingSafeCompare(sessionToken, givenToken)) {
37 console.log('good token');
39 console.log('bad token');
45 **Credits to:** [@jsha](https://github.com/jsha) |
46 [@bnoordhuis](https://github.com/bnoordhuis) |
47 [@suryagh](https://github.com/suryagh) |