Timing Attacks in Application-Level Code
Learn how string comparison timing leaks secrets and how constant-time comparison prevents them.
Non-Constant-Time String Comparison
The standard string equality operator in most programming languages terminates as soon as a mismatch is found. Python's == on bytes objects, C's strcmp, and Java's String.equals all return immediately when the first differing byte is found. For normal string comparison this is an optimization, but for comparing secret values like MAC tags or passwords, it creates a measurable timing side channel that leaks information.
Measuring HMAC Comparison Time
An attacker measures the time taken to compare a submitted HMAC tag against the correct value. Submitting an HMAC where the first byte matches correctly takes slightly longer than one where the first byte is wrong (one additional byte comparison). By submitting many values with each possible first byte and measuring response times, the attacker identifies the correct first byte. This process repeats byte by byte until the full tag is recovered.
All lessons in this course
- Padding Oracle Attacks in Detail
- Replay Attacks and Nonce Reuse Vulnerabilities
- Timing Attacks in Application-Level Code
- Top Cryptographic Misuse Patterns