Thanks for the advice I will probably go with your technique Martin. I 
am considering using your technique as well as the original solution I 
inquired about. I have a question though, will it work to compare every 
character or will it also return false as soon as it detects that one is 
not = ?

def message_authentic?(ciphertext, key, mac)

computed_mac = 
OpenSSL::Digest::SHA256.new(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new,OpenSSL::Digest::SHA256.new("mac" 
+ key).to_s, ciphertext))

provided_mac = OpenSSL::Digest::SHA256.new(mac)
comparisons = [true]
computed_mac.length.times do |i|
a += [string1[i] == string2[i]]
end
comparisons.inject(:==)
end

Is it at all beneficial to add the second way of comparison as well or 
is it just as protected with == after the hash values have been 
obtained? And you are pretty confident that this is no vulnerable to 
timing side channels ?

-- 
Posted via http://www.ruby-forum.com/.