Last week I wrapped up the chapter on the crypto
package in Go, The Standard Library
Within the crypto
package we have the crypto/subtle
package. This package contains functions for doing constant time operations which are an important part of cryptography.
Constant time functions help prevent timing attacks which are caused when operations take different amounts of time to complete a task based on some input. When the time something takes leaks information about what's going on.
Comparing Strings
Let's look at a standard string comparison algorithm. For every character in a string, compare it to the character at the same index in the other string. If they are equal, try the next character. If not, return false. Pretty straight forward, but if the first character doesn't match, the function returns immediately. If the first character matches but the second doesn't, the function takes just a little bit longer. This difference is enough to measure, even on web applications. See these two papers for more on that. The functions in the crypto/subtle
package use some bit twiddling to perform operations in a constant time.
Let's look at how this would work in Go: