{
    "slug": "cache_timing_attacks",
    "term": "Cache-Timing Side-Channel Attacks",
    "category": "security",
    "difficulty": "advanced",
    "short": "Attacks that infer secret information from response time differences — cached responses arrive faster than uncached ones, leaking whether a resource exists or a secret was correct.",
    "long": "Timing attacks exploit measurable differences in execution time to infer secrets. Cache timing: an attacker queries a resource and measures response time — a cache hit is faster than a miss, revealing whether the resource was recently accessed by another user. This leaks: whether a user exists (cached profile = faster response), whether a secret token was used, or whether a URL was recently visited. The classic timing attack is string comparison: == completes early on first mismatch, leaking how many characters were correct. Mitigations: hash_equals() for constant-time comparison, random delays, and careful cache key design.",
    "aliases": [
        "timing attack",
        "side-channel attack",
        "cache timing",
        "constant-time comparison"
    ],
    "tags": [
        "security",
        "cryptography",
        "php"
    ],
    "misconception": "Millisecond timing differences are too small to exploit — over thousands of requests, statistical analysis reveals timing differences of less than 1 microsecond; timing attacks are practical from the same data centre.",
    "why_it_matters": "A PHP string comparison using == leaks how many leading characters of a CSRF token match — an attacker can brute-force a token one character at a time, reducing the search space from 62^32 to 62*32.",
    "common_mistakes": [
        "== for comparing HMAC signatures, CSRF tokens, or API keys — use hash_equals().",
        "Cache keys that include user IDs making timing leaks about user activity.",
        "Password comparison without timing safety — password_verify() is timing-safe, raw == is not.",
        "Not using constant-time base64 decoding for token comparison."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "hmac",
        "csrf",
        "predictable_token",
        "insecure_randomness"
    ],
    "prerequisites": [
        "timing_attack",
        "constant_time_comparison",
        "side_effects"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.hash-equals.php"
    ],
    "bad_code": "// Timing-vulnerable token comparison:\nif ($submittedToken === $storedToken) {  // Fails fast on first mismatch\n    // Attacker times thousands of requests:\n    // 'a...' takes 0.1ms — first char wrong\n    // 'sk1..' takes 0.3ms — first 3 chars right!\n    // Can brute-force character by character\n    allowAccess();\n}",
    "good_code": "// Constant-time comparison — no timing information leaked:\nif (hash_equals($storedToken, $submittedToken)) {\n    // Same time regardless of how many chars match\n    allowAccess();\n}\n\n// For HMAC verification:\n$expected = hash_hmac('sha256', $payload, $secretKey);\nif (!hash_equals($expected, $providedMac)) {\n    throw new InvalidSignatureException();\n}\n\n// password_verify() is also constant-time:\nif (!password_verify($input, $storedHash)) {\n    throw new AuthenticationException();\n}",
    "quick_fix": "Use hash_equals() for all security-sensitive comparisons — cache timing attacks exploit microsecond differences in response time to infer whether a hash prefix matches",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-16",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/cache_timing_attacks",
        "html_url": "https://codeclaritylab.com/glossary/cache_timing_attacks",
        "json_url": "https://codeclaritylab.com/glossary/cache_timing_attacks.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Cache-Timing Side-Channel Attacks](https://codeclaritylab.com/glossary/cache_timing_attacks) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/cache_timing_attacks"
            }
        }
    }
}