Module: WSDL::Security::SecureCompare

Defined in:
lib/wsdl/security/secure_compare.rb

Overview

Provides timing-safe comparison utilities for cryptographic values.

Standard string comparison (==) short-circuits on the first differing character, which leaks timing information about how many characters match. This can be exploited in timing attacks to gradually guess secret values by measuring response times.

This module wraps Ruby's OpenSSL.secure_compare to provide constant-time string comparison that prevents such attacks.

Examples:

Comparing digest values

computed_digest = compute_digest(element)
expected_digest = reference[:expected]

if SecureCompare.equal?(computed_digest, expected_digest)
  puts "Digest verified!"
end

See Also:

Class Method Summary collapse

Class Method Details

.equal?(expected, actual) ⇒ Boolean

Performs a timing-safe comparison of two strings.

This method uses OpenSSL.secure_compare which:

  1. Hashes both inputs with SHA-256 to normalize lengths
  2. Uses constant-time comparison on the hashes
  3. Performs a final equality check

This ensures the comparison time is independent of:

  • How many characters match
  • The length of either string

Examples:

Basic usage

SecureCompare.equal?("secret123", "secret123")  # => true
SecureCompare.equal?("secret123", "secret456")  # => false

With Base64-encoded digests

SecureCompare.equal?(expected_digest, computed_digest)

Parameters:

  • expected (String)

    first string to compare (typically the expected value)

  • actual (String)

    second string to compare (typically the computed value)

Returns:

  • (Boolean)

    true if strings are equal, false otherwise



51
52
53
54
55
 
# File 'lib/wsdl/security/secure_compare.rb', line 51

def equal?(expected, actual)
  return false unless expected.is_a?(String) && actual.is_a?(String)

  OpenSSL.secure_compare(expected, actual)
end