znk3r/hash-equals

A compatibility library for hash_equals() to avoid timing attacks

hash_equals

PHP implementation of hash_equals() for versions previous to 5.6, _(*1)

This function has been created to compare hash strings, in a way that prevents timing attacks. Some libraries have similar implementations, but as part of bigger packages., _(*2)

Installation

Via composer.json, _(*3)

"require": {
    "znk3r/hash_equals": "dev-master"
}

Basic Usage

The function should be available automatically after being added to composer (remember to run "composer update"), _(*4)

<?php

if (!hash_equals($storedHash, $userGeneratedHash)) {
    echo "The strings are different"; 
}

Timing attacks

As described by Pádraic Brady in [an article from 2010] (http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/):, _(*5)

A Timing Attack is a form of Side Channel Attack which allows an attacker to discover some secret input to an operation by measuring the operation’s execution time often based on a set of attacker derived inputs., _(*6)

At first look, this seems like an impossible task but in reality it doesn’t take much thinking to realise how many web applications likely treat existing and non-existing usernames differently during a login attempt. Differing treatment may lead to clues about the validity of any username in a few ways, _(*7)

These attacks are complex to implement, but have already been used a couple of times., _(*8)

On PHP-5.6, hash_equals() was added to help with this type of attack, but the function is not available for previous versions, leaving them vulnerable., _(*9)

This function should be used to mitigate timing attacks, specially when comparing hashes, but not as general alternative for all string comparisons., _(*10)