[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is a constant time string compare necessary?

On Tue, Dec 03, 2013 at 08:55:47PM +0100, Laurens Van Houtven wrote:
> When comparing the result of the scrypt KDF to a previously computed &
> stored value (say, in the context of a stored password), is it necessary to
> compare the two strings in constant time?

If the salts are large and are unpredictable by a remote attacker and
are stored only along with the hashes, no.