I'm storing user session tokens as strings in a DynamoDB table. When my users make requests to my API, I query my sessions table with the session token provided by the user to check that it is a real session token and find the user that it corresponds to. The session token is in the partition key of the table and the query is simply searching the partition key for string equality with the user-provided token. If there's no match then I immediately return an error code to the API request.
I'm wondering whether a timing attack is possible here. Specifically, I'm wondering whether the time taken for non-matching DynamoDB queries would vary in a measurable way if the queried value was a partial match for an entry in the table? Presumably that would allow an attacker to find a valid session key one character at a time.
Or alternatively, is the time taken for a partition key string equality query constant whether or not it's a partial match?
If this is a concern, is there a conventional way for mitigating it? The first idea that comes to mind would be to measure the time taken for the API request and if the query fails simply wait until a constant amount of time has passed before returning the error so that no timing information is revealed to the attacker. Would that be suitable?
That's great to know. Thank you very much!