Class SecureCompare

Provides methods for securely comparing objects.

Inheritance

Object

SecureCompare

Inherited Members

Object.Equals(Object)

Object.Equals(Object, Object)

Object.GetHashCode()

Object.GetType()

Object.MemberwiseClone()

Object.ReferenceEquals(Object, Object)

Object.ToString()

Namespace: Recore.Security.Cryptography

Assembly: Recore.dll

Syntax

public static class SecureCompare

Methods

| Improve this Doc View Source

TimeInvariantEquals(Byte[], Byte[])

Checks two byte arrays for equality without early termination.

Declaration

public static bool TimeInvariantEquals(byte[] lhs, byte[] rhs)

Parameters

Type	Name	Description
Byte[]	lhs
Byte[]	rhs

Returns

Type	Description
Boolean

Remarks

This method is used to guard against timing attacks.

When checking untrusted input against a secret, using a regular element-by-element equality method such as Equals(String) is insecure. For example, suppose you are checking whether an incoming request's signature matches what you expect. In this case, you hash the request payload with your own private key and compare that to the actual signature. If the comparison stops at the first unmatched element in the sequence, an attacker can time the comparison with a high-resolution timer and infer how many elements they guessed correctly.

This method assumes that the length of the sequences are equal, such as two strings processed by a hashing algorithm. If the length of the sequence is considered a secret, this method should not be used as it will leak that information in a timing attack.