scmp

What is scmp?

The scmp package in npm is a secure, constant-time comparison of strings or buffers. It is primarily used to prevent timing attacks when comparing sensitive data, such as cryptographic hashes or tokens.

What are scmp's main functionalities?

Secure String Comparison

This feature allows for the secure comparison of two strings, ensuring that the time taken to compare is constant, thus preventing timing attacks.

const scmp = require('scmp');
const a = 'not_so_secret';
const b = 'not_so_secret';
console.log(scmp(a, b)); // outputs: true

Secure Buffer Comparison

Similar to string comparison, this feature enables the secure, constant-time comparison of two buffers, which is useful for comparing binary data securely.

const scmp = require('scmp');
const buffer1 = Buffer.from('secret_data');
const buffer2 = Buffer.from('secret_data');
console.log(scmp(buffer1, buffer2)); // outputs: true

Other packages similar to scmp

bcryptjs

bcryptjs is a package that provides secure password hashing. While it does not offer direct string comparison like scmp, it is used for securely handling passwords which is a similar domain of security.

crypto

The built-in Node.js 'crypto' module provides a method called 'timingSafeEqual' which performs a constant-time comparison of buffers, similar to what scmp does. It is a more comprehensive security toolkit that includes a variety of cryptographic functions.

README

scmp

Safe, constant-time comparison of Buffers.

Install

npm install scmp

Why?

To minimize vulnerability against timing attacks.

Example

const scmp = require('scmp');
const Buffer = require('safe-buffer').Buffer;

const hash      = Buffer.from('e727d1464ae12436e899a726da5b2f11d8381b26', 'hex');
const givenHash = Buffer.from('e727e1b80e448a213b392049888111e1779a52db', 'hex');

if (scmp(hash, givenHash)) {
  console.log('good hash');
} else {
  console.log('bad hash');
}