Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Rubens Stulzer
January 19, 2017
Technology
0
85

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
220
My trip to Startup Nation
stulzer
0
67
Being Data Driven
stulzer
0
66
Passos para se tornar um programador Ruby
stulzer
0
56
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
180

Other Decks in Technology

See All in Technology
ライフステージの変化を乗り越える 探索型のキャリア選択
tenshoku_draft
2
370
Real World Nix CI/CD編
asa1984
1
150
QAエンジニアが スクラムマスターをすると いいなぁと思った話
____rina____
0
230
x86-64 Assembly Essentials
latte72
4
830
20250304_赤煉瓦倉庫_DeepSeek_Deep_Dive
hiouchiy
2
150
サイト信頼性エンジニアリングとAmazon Web Services / SRE and AWS
ymotongpoo
8
1.9k
自分のやることに価値を見出だせるようになり、挑戦する勇気をもらったベイトソンの考え / Scrum Fest Fukuoka 2025
bonbon0605
0
180
2025/3/1 公共交通オープンデータデイ2025
morohoshi
0
130
AIエージェント開発のノウハウと課題
pharma_x_tech
10
5.7k
OPENLOGI Company Profile for engineer
hr01
1
21k
VPoEの引き継ぎでやったこと、わかったこと
saitoryc
1
200
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
420

Featured

See All Featured
Producing Creativity
orderedlist
PRO
344
40k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
A Tale of Four Properties
chriscoyier
158
23k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
28
1.9k
The Cult of Friendly URLs
andyhume
78
6.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.4k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Adopting Sorbet at Scale
ufuk
75
9.2k
Bash Introduction
62gerente
611
210k
Being A Developer After 40
akosma
89
590k

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <rubens.junior@vivareal.com> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You