Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What that mean: Compare two strings $a and $b in length-constant time?

While learning Password Hashing and saving in DB, I found this article: https://crackstation.net/hashing-security.htm#phpsourcecode

Everything was clear except this function that I can't Understand exactly why not used normal equality? And what is meant by: Compares two strings $a and $b in length-constant time.

// Compares two strings $a and $b in length-constant time.
function slow_equals($a, $b)
{
    $diff = strlen($a) ^ strlen($b);
    for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
    {
        $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
}
like image 907
Jason OOO Avatar asked Sep 15 '13 08:09

Jason OOO


People also ask

What is constant time string comparison?

The string comparison compares the two keys one byte at a time, stopping as soon as it finds an offset where the two strings do not match. As a result, checkApiKey will take longer if the two keys start with the same bytes.

How do you compare the length of a two string?

strcmp is used to compare two different C strings. When the strings passed to strcmp contains exactly same characters in every index and have exactly same length, it returns 0. For example, i will be 0 in the following code: char str1[] = "Look Here"; char str2[] = "Look Here"; int i = strcmp(str1, str2);

What is the time complexity of comparing two strings?

Time Complexity: O(min(n,m)) where n and m are the length of the strings. Auxiliary Space: O(max(n,m)) where n and m are the length of the strings.

What does comparing two strings mean?

To compare two strings, we mean that we want to identify whether the two strings are equivalent to each other or not, or perhaps which string should be greater or smaller than the other. This is done using the following operators: == : This checks whether two strings are equal. !=

How do you compare values in two strings?

Example 2: Compare two strings using equals() To compare these strings in Java, we need to use the equals() method of the string. You should not use == (equality operator) to compare these strings because they compare the reference of the string, i.e. whether they are the same object or not.

How do you compare two strings or values are same?

Using String.equals() method compares two strings based on the sequence of characters present in both the strings. The method is called using two strings and returns a boolean value. If all the characters of both the strings are equal then the method returns true else false gets returned.


1 Answers

When you usually compare if two strings are equal or not, the algorithm stops if it encounters the first unequality.

Like this: "aaa" == "aba"? First character? Both "a". Second character? "a" isn't "b", so stop here to save time. The last character does not get compared.

When comparing security relevant strings, an attacker might get a clue which character is correct and which is wrong because of the runtime of such a comparison function.

Consider for a moment the unsafe practice of having plain text passwords. If the attacker could find out whether or not the first character of his guessed password is correct by measuring how long the password comparison runs, he needs only about 62 guesses (alphabetic characters lower and upper case, and numbers) to know the first letter. With one letter the runtime was longer because that first letter was identical to the real password, and the second letter got compared. Now that second letter gets iterated. And after 62 more guesses, is known.

This weakens security a lot, because without knowing if the first letter is right, you'd need 62*62 guesses for a two-letter password. With a clue, you only need 62 + 62 guesses.

A length-constant comparison function compares all the letters, and only at the end reveals whether or not the strings match. That way you cannot get a clue which letter is already right.

Hashing strings mixes up things a bit, but because you cannot know if the attacker has pre-generated a bunch of hashes, or is generating them on the fly and does NOT brute-force the corresponding password if the hash would not match, you do not want anybody to know WHERE that hash does not match. It's a small added security component, but a very important one.

like image 85
Sven Avatar answered Nov 11 '22 15:11

Sven