TIL – Timing Attack

Question: Why should we use hash_equals in PHP rather than just the simple string comparison?

Answer: Actually, it’s not something PHP specific. Instead, it’s universal among all programming languages. But why? With the typical string comparison, the false result will be emitted as soon as a non-matched character is found. By trying to compare the response time in a fast network (such as local LAN) from different string lengths and content, attackers can slowly verify the correct secret string. hash_equals ensures that there is no difference in terms of response time.

References:

• https://wiki.php.net/rfc/timing_attack
• https://codahale.com/a-lesson-in-timing-attacks/
• Two first answers look excellent https://security.stackexchange.com/questions/83660/simple-string-comparisons-not-secure-against-timing-attacks
• https://ropesec.com/articles/timing-attacks/