def is_equal(a, b):This function is available in python 3.3+ as:
if len(a) != len(b):
return False
result = 0
for x, y in zip(a, b):
result |= x ^ y
return result == 0
hmac.compare_digest(a, b)
Monday, May 5, 2014
Don't use == for comparing secrets
TIL: You shouldn't use == to compare HMACs, or anything sensitive really. Doing so creates a timing side channel that can reveal the secret to an attacker. Instead you need to use a comparison function that takes a constant amount of time for all values, not matter how similar they are to the actual HMAC. The python example given in the article is:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment