Mitigating Timing Attacks
The tl;dr on timing attacks is that when comparing 2 values, if your comparison operator returns as soon as it finds it’s first non-matching value it is possible to determine the value by timing how fast it returns.
"ABC123" == "ABC012"
# if each character takes 1μs, this will return after 4μs. Thus, we know the first 3 chars are correct.
Plug.Crypto.secure_compare("ABC123", "ABC012")
# always returns in constant timesecure_compare/2 check if the byte size is the same (if they arent it will return faster.) If the byte size is the same, the function will return slower, but always in a constant time.
https://hexdocs.pm/plug_crypto/Plug.Crypto.html#secure_compare/2
Tweet