# Timing safe string compare using double HMAC
[](https://nodejs.org/en/download)
[](https://npmjs.org/package/tsscmp)
[](https://npmjs.org/package/tsscmp)
[](https://travis-ci.org/suryagh/tsscmp)
[](https://ci.appveyor.com/project/suryagh/tsscmp)
[](https://david-dm.org/suryagh/tsscmp)
[](LICENSE)
Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's
[Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/)
to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the
timing channel using random time per attempt comparison against iterative brute force attacks.
## Install
```
npm install tsscmp
```
## Why
To compare secret values like **authentication tokens**, **passwords** or
**capability urls** so that timing information is not
leaked to the attacker.
## Example
```js
var timingSafeCompare = require('tsscmp');
var sessionToken = '127e6fbfe24a750e72930c';
var givenToken = '127e6fbfe24a750e72930c';
if (timingSafeCompare(sessionToken, givenToken)) {
console.log('good token');
} else {
console.log('bad token');
}
```
##License:
[MIT](LICENSE)
**Credits to:** [@jsha](https://github.com/jsha) |
[@bnoordhuis](https://github.com/bnoordhuis) |
[@suryagh](https://github.com/suryagh) |
![[ICO]](/icons/blank.gif){kind=icon}
![[PARENTDIR]](/icons/back.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}