Google’s Keyczar library suffered from a timing side-channel vulnerability involving its HMAC signature verification. Specifically, the default HMAC-based “compare” operation in both Python and Java was implemented using a direct equality check (==). Because these equality checks terminate as soon as a mismatched byte is encountered, an attacker could guess the correct HMAC signature incrementally by measuring the time it took the server to respond. Each correct byte of the signature would delay the failure response, thus leaking information about how many bytes matched so far.
This seemingly small oversight demonstrated how even carefully written crypto libraries can contain subtle bugs when translating abstract operations (like “compare”) into actual code. The fix required using a “constant-time” comparison technique, which ensures the operation always takes the same amount of time regardless of how many bytes match. This prevents attackers from observing response time differences and carrying out a remote timing attack. Keyczar quickly patched their library after the issue was reported, highlighting the importance of rigorous security reviews and the benefits of using well-tested, high-level cryptographic libraries whenever possible.
We made a challenge in Go to replicate this vulnerability:
