The tsscmp npm package is a utility for performing timing-safe string comparisons. This is particularly useful for security purposes, such as comparing cryptographic hashes or passwords, to prevent timing attacks.
Timing-Safe String Comparison
This feature allows you to compare two strings in a way that is resistant to timing attacks. The comparison takes the same amount of time regardless of how similar the strings are, which helps to prevent attackers from gaining information based on the time it takes to compare the strings.
const tsscmp = require('tsscmp');
const a = 'password123';
const b = 'password123';
if (tsscmp(a, b)) {
console.log('Strings are equal');
} else {
console.log('Strings are not equal');
}The safe-compare package provides a similar functionality to tsscmp by performing timing-safe string comparisons. It ensures that the comparison takes a constant amount of time, regardless of the input strings, thereby preventing timing attacks. Compared to tsscmp, safe-compare offers a similar API and is also focused on security.
The secure-compare package is another alternative for timing-safe string comparisons. It is designed to be simple and efficient, ensuring that the comparison time is constant to mitigate timing attacks. Like tsscmp, secure-compare is used to securely compare sensitive strings such as passwords or tokens.
[![Node.js Version][node-version-image]][node-version-url] [![npm][npm-image]][npm-url] [![NPM Downloads][downloads-image]][downloads-url] [![Build Status][travis-image]][travis-url] [![Build Status][appveyor-image]][appveyor-url] [![Dependency Status][david-image]][david-url] [![github-license][github-license-image]][license-url] [travis-image]: https://img.shields.io/travis/suryagh/tsscmp/master.svg?style=flat-square [travis-url]: https://travis-ci.org/suryagh/tsscmp [appveyor-image]: https://img.shields.io/appveyor/ci/suryagh/tsscmp/master.svg?style=flat-square&label=windows [appveyor-url]: https://ci.appveyor.com/project/suryagh/tsscmp [npm-image]: https://img.shields.io/npm/v/tsscmp.svg?style=flat-square [npm-url]: https://npmjs.org/package/tsscmp [node-version-image]: https://img.shields.io/node/v/tsscmp.svg?style=flat-square [node-version-url]: https://nodejs.org/en/download [downloads-image]: https://img.shields.io/npm/dm/tsscmp.svg?style=flat-square [downloads-url]: https://npmjs.org/package/tsscmp [david-image]: http://img.shields.io/david/suryagh/tsscmp.svg?style=flat-square [david-url]: https://david-dm.org/suryagh/tsscmp [npm-license-image]: http://img.shields.io/npm/l/tsscmp.svg?style=flat-square [github-license-image]: https://img.shields.io/github/license/suryagh/tsscmp.svg?style=flat-square [license-url]: LICENSE Prevents timing attacks using Brad Hill's Double HMAC pattern to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the timing channel using random time per attempt comparison against iterative brute force attacks.
npm install tsscmp
To compare secret values like authentication tokens, passwords or capability urls so that timing information is not leaked to the attacker.
var timingSafeCompare = require('tsscmp');
var sessionToken = '127e6fbfe24a750e72930c';
var givenToken = '127e6fbfe24a750e72930c';
if (timingSafeCompare(sessionToken, givenToken)) {
console.log('good token');
} else {
console.log('bad token');
}
FAQs
Timing safe string compare using double HMAC
The npm package tsscmp receives a total of 784,986 weekly downloads. As such, tsscmp popularity was classified as popular.
We found that tsscmp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.