Alanaktion · June 12, 2018 23:00
diff --git a/timing-attack.php b/timing-attack.php
 <?php
 $iterations = 1e4;
 $valid = 'password';
 $stored_hash = md5($valid);
 $test = $arvg[1] ?? 'notvalid';

 echo "$iterations iterations\n";

 // Run tests
 $v_start = microtime(true);
 for ($i = 0; $i < $iterations; $i++) {
    if ($stored_hash == md5($valid)) {
        // Do nothing...
    }
 }
 $v_time = microtime(true) - $v_start;
 echo "{$v_time} seconds for idential hashes\n";

 $t_start = microtime(true);
 for ($i = 0; $i < $iterations; $i++) {
    if ($stored_hash == md5($test)) {
        // Do nothing...
    }
 }
 $t_time = microtime(true) - $t_start;
 echo "{$t_time} seconds for different hashes\n";

 // Analyze results
 if (abs($v_time - $t_time) < .001) {
    echo "Timing is close, test could match stored hash.\n";
 } elseif ($v_time > $t_time) {
    echo "Correct hash took less time than test hash, so test is not valid.\n";
 } else {
    echo "Stored hash took *longer* somehow. This happens sometimes.\n";
 }
	<?php
	$iterations = 1e4;
	$valid = 'password';
	$stored_hash = md5($valid);
	$test = $arvg[1] ?? 'notvalid';

	echo "$iterations iterations\n";

	// Run tests
	$v_start = microtime(true);
	for ($i = 0; $i < $iterations; $i++) {
	if ($stored_hash == md5($valid)) {
	// Do nothing...
	}
	}
	$v_time = microtime(true) - $v_start;
	echo "{$v_time} seconds for idential hashes\n";

	$t_start = microtime(true);
	for ($i = 0; $i < $iterations; $i++) {
	if ($stored_hash == md5($test)) {
	// Do nothing...
	}
	}
	$t_time = microtime(true) - $t_start;
	echo "{$t_time} seconds for different hashes\n";

	// Analyze results
	if (abs($v_time - $t_time) < .001) {
	echo "Timing is close, test could match stored hash.\n";
	} elseif ($v_time > $t_time) {
	echo "Correct hash took less time than test hash, so test is not valid.\n";
	} else {
	echo "Stored hash took longer somehow. This happens sometimes.\n";
	}