Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

412292ca8d206e602f2c6331b5838ad3?s=128

Rubens Stulzer

January 19, 2017
Tweet

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <rubens.junior@vivareal.com> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D
  7. P A S S W O R D P A

    S S W O R D
  8. P A S S W O R D P A

    S S W O R D
  9. P A S S W O R D P A

    S S W O R D
  10. P A S S W O R D P A

    S S W O R D
  11. P A S S W O R D P A

    S S W O R D
  12. P A S S W O R D P A

    S S W O R D
  13. P A S S W O R D P A

    S S W O R D
  14. P A S S W O R D P A

    S S W O R D
  15. P A S S W O R D P A

    S S W O R D
  16. P A S S W O R D P A

    S S W O R D
  17. P A S S W O R D P A

    S S W O R D
  18. P A S S W O R D P A

    S S W O R D
  19. P A S S W O R D P A

    S S W O R D
  20. P A S S W O R D P A

    S S W O R D
  21. P A S S W O R D P A

    S S W O R D
  22. P A S S W O R D P A

    S S W O R D
  23. P A S S W O R D P A

    S S W O R D
  24. P A S S W O R D P A

    S S W O R D true
  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D
  26. P I D S I N G T P A

    S S W O R D
  27. P I D S I N G T P A

    S S W O R D
  28. P I D S I N G T P A

    S S W O R D
  29. P I D S I N G T P A

    S S W O R D
  30. P I D S I N G T P A

    S S W O R D
  31. P I D S I N G T P A

    S S W O R D
  32. P I D S I N G T P A

    S S W O R D false
  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false
  34. This is OK

  35. None
  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one
  41. P A S S W O R D P A

    S S I N G T
  42. P A S S I N G T P A

    S S W O R D
  43. P A S S I N G T P A

    S S W O R D
  44. P A S S W O R D P A

    S S I N G T
  45. P A S S I N G T P A

    S S W O R D
  46. P A S S I N G T P A

    S S W O R D
  47. P A S S I N G T P A

    S S W O R D
  48. P A S S I N G T P A

    S S W O R D
  49. P A S S I N G T P A

    S S W O R D
  50. P A S S I N G T P A

    S S W O R D
  51. P A S S I N G T P A

    S S W O R D
  52. P A S S I N G T P A

    S S W O R D
  53. P A S S I N G T P A

    S S W O R D false
  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false
  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are
  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T
  59. P A S S I N G T P A

    S S W O R D
  60. P A S S I N G T P A

    S S W O R D
  61. P A S S W O R D P A

    S S I N G T
  62. P A S S I N G T P A

    S S W O R D
  63. P A S S I N G T P A

    S S W O R D
  64. P A S S I N G T P A

    S S W O R D
  65. P A S S I N G T P A

    S S W O R D
  66. P A S S I N G T P A

    S S W O R D
  67. P A S S I N G T P A

    S S W O R D
  68. P A S S I N G T P A

    S S W O R D
  69. P A S S I N G T P A

    S S W O R D
  70. P A S S I N G T P A

    S S W O R D
  71. P A S S I N G T P A

    S S W O R D
  72. P A S S I N G T P A

    S S W O R D
  73. P A S S I N G T P A

    S S W O R D
  74. P A S S I N G T P A

    S S W O R D
  75. P A S S I N G T P A

    S S W O R D
  76. P A S S I N G T P A

    S S W O R D false
  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None
  79. We

  80. We

  81. We Rails

  82. Thank You