constant-time string comparison to mitigate timing attacks.

[pda]

Prompted by https://github.com/99designs/http-signatures-php/pull/28

In unit tests I was unable to reliably demonstrate that a == b was vulnerable to timing attacks due to non-deterministic timing noise, even for contrived scenarios where it should have been very apparent. However Ruby's String#== uses memcmp so is theoretically vulnerable, so this patch replaces it with a constant-time implementation based on ActiveSupport::SecurityUtils.