SCrypt.Verify hash comparison vulnerable to a timing attack

[mbomb007]

See DefaultPasswordHash.cs

public bool Verify(string password, string hash)
{
    return hash == HashPassword(password, hash);
}

When you compare the hashes using ==, the comparison logic uses early-out optimization so that if the first character of both strings are different, the comparison ends abruptly returning false. If only the last character is different, the comparison gets that far (taking a bit longer) and returns false. So an attacker can send specific known hashes, record the differences in comparison time, and figure out the correct hash one character at a time.

A simple solution is to perform a byte-to-byte (or char to char) comparison in constant time with no optimization so that the entire string is compared. The recommended solution is probably to use Double-HMAC Comparison. There is an example in Security Driven .NET by Stan Drapkin, which makes use of Inferno (which makes use of System.Security.Cryptography.HMAC).

References:

• Simple string comparisons not secure against timing attacks
• Timing attack against HMAC in authenticated encryption?
• Preventing Timing Attacks on String Comparison with a Double HMAC Strategy
• A Lesson In Timing Attacks
• Where Are The Constant Time Comparisons on .NET?