Is the time leakage by comparing the hashes of two strings vulnerable?

356 Views Asked by At

It is obvious that if we compare two strings it is vulnerable to the time attack.

I'm now wondering whether the time leakage is still a vulnerability if the comparison is done on the hash of those two strings?

Isn't it vulnerable to any other kind of attacks? (Suppose using a hash algorithm which is safe against the collision attack).

Or simply what will happen if someone could find out the hash of the original string? Can it be abused?

Here is just an example of the idea:

user_pass = get_password_from_input();
if (memcmp(sha256(user_pass), sha256(HARD_CODED_PASS), SHA256_SIZE))
    printf("Welcome!");
else
    printf("Wrong Password!");
0

There are 0 best solutions below