securecompare

securecompare is a gem that implements a constant time string comparison method safe for use in cryptographic functions.

Description

securecompare borrows the secure_compare private method from ActiveSupport::MessageVerifier which lets you do safely compare strings without being vulnerable to timing attacks. Useful for Basic HTTP Authentication in your rack/rails application.

Installation

Add this line to your application's Gemfile:

gem "securecompare"

And then execute:

$ bundle install

Or install it yourself as:

$ gem install securecompare

Usage

require "securecompare"

SecureCompare.compare("password", "password") # => true
SecureCompare.compare("password", "passw0rd") # => false

require "securecompare"

class Password < String
  include SecureCompare

  def ==(other)
    secure_compare(self, other)
  end
end

Password.new("password") == "password" # => true
Password.new("password") == "passw0rd" # => false

require "securecompare"

class ApplicationController < ActionController::Base
  include SecureCompare

  before_filter :authenticate

  proctected
  def authenticate
    authenticate_or_request_with_http_basic("My Rails App") do |username, password|
      secure_compare(username, "username") & secure_compare(password, "password")
    end
  end
end

Contributing

Fork, branch & pull request.