znk3r / hash-equals
A compatibility library for hash_equals() to avoid timing attacks
Requires (Dev)
- phpunit/phpunit: 4.*
This package is not auto-updated.
Last update: 2025-04-26 20:21:38 UTC
README
PHP implementation of hash_equals() for versions previous to 5.6
This function has been created to compare hash strings, in a way that prevents timing attacks. Some libraries have similar implementations, but as part of bigger packages.
Installation
Via composer.json
"require": {
"znk3r/hash_equals": "dev-master"
}
Basic Usage
The function should be available automatically after being added to composer (remember to run "composer update")
<?php
if (!hash_equals($storedHash, $userGeneratedHash)) {
echo "The strings are different";
}
Timing attacks
As described by Pádraic Brady in [an article from 2010] (http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/):
A Timing Attack is a form of Side Channel Attack which allows an attacker to discover some secret input to an operation by measuring the operation’s execution time often based on a set of attacker derived inputs.
At first look, this seems like an impossible task but in reality it doesn’t take much thinking to realise how many web applications likely treat existing and non-existing usernames differently during a login attempt. Differing treatment may lead to clues about the validity of any username in a few ways
These attacks are complex to implement, but have already been used a couple of times.
On PHP-5.6, hash_equals() was added to help with this type of attack, but the function is not available for previous versions, leaving them vulnerable.
This function should be used to mitigate timing attacks, specially when comparing hashes, but not as general alternative for all string comparisons.