It's probably best to use crypto.timingSafeEqual(a, b) to compare the keys in the verify function to protect against timing attacks.
crypto.timingSafeEqual(a, b)
verify
Hey Brad, I am new to authentication, can please explain gour point?
The Wikipedia article explains it pretty well: en.wikipedia.org/wiki/Timing_attack
In other words, the verify function should look something like this:
import crypto from 'crypto'; import { promisify } from 'util'; const scrypt = promisify(crypto.scrypt); async function verify(password, hash) { const [salt, key] = hash.split(":") const keyBuffer = Buffer.from(key, 'hex') const derivedKey = await scrypt(password, salt, 64) return crypto.timingSafeEqual(keyBuffer, derivedKey) }
The key has to be converted into a buffer because crypto.timingSafeEqual only accepts buffers for the arguments.
crypto.timingSafeEqual
Doing it this way means that the comparison operation takes the same amount of time every single time.
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It's probably best to use
crypto.timingSafeEqual(a, b)to compare the keys in theverifyfunction to protect against timing attacks.Hey Brad, I am new to authentication, can please explain gour point?
The Wikipedia article explains it pretty well: en.wikipedia.org/wiki/Timing_attack
In other words, the verify function should look something like this:
The key has to be converted into a buffer because
crypto.timingSafeEqualonly accepts buffers for the arguments.Doing it this way means that the comparison operation takes the same amount of time every single time.