0Pricing
Cryptology Academy · Lesson

Timing Attacks in Application-Level Code

Learn how string comparison timing leaks secrets and how constant-time comparison prevents them.

Non-Constant-Time String Comparison

The standard string equality operator in most programming languages terminates as soon as a mismatch is found. Python's == on bytes objects, C's strcmp, and Java's String.equals all return immediately when the first differing byte is found. For normal string comparison this is an optimization, but for comparing secret values like MAC tags or passwords, it creates a measurable timing side channel that leaks information.

Measuring HMAC Comparison Time

An attacker measures the time taken to compare a submitted HMAC tag against the correct value. Submitting an HMAC where the first byte matches correctly takes slightly longer than one where the first byte is wrong (one additional byte comparison). By submitting many values with each possible first byte and measuring response times, the attacker identifies the correct first byte. This process repeats byte by byte until the full tag is recovered.

All lessons in this course

  1. Padding Oracle Attacks in Detail
  2. Replay Attacks and Nonce Reuse Vulnerabilities
  3. Timing Attacks in Application-Level Code
  4. Top Cryptographic Misuse Patterns
← Back to Cryptology Academy