Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

412292ca8d206e602f2c6331b5838ad3?s=47 Rubens Stulzer
January 19, 2017
Technology
0
55

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

412292ca8d206e602f2c6331b5838ad3?s=128

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
0
140
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
0
48
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
0
42
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
0
40
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
1
94
412292ca8d206e602f2c6331b5838ad3?s=48 stulzer
1
170

Other Decks in Technology

See All in Technology
9b63847a4c413a2604e1d64e5d595dab?s=48 humank
0
220
3009eedce0d0f7ae45987a7bd8f57b85?s=48 nkjzm
1
850
E8fe0220162ea15aab7ec96690cc437a?s=48 pinboro
1
1.6k
Bee82b2f6e75097641a3ba5ce70c2368?s=48 takem001
0
910
79fc33e55cacc42beef647541de24d58?s=48 yasuakiomokawa
0
360
48712994d81fae89e671dd3f43b8b7a2?s=48 kappa4
4
2.3k
56d7bcf9b5071512c65e753a1619987a?s=48 kakka
0
3.6k
4649f3418cb4e7b951ca28e65003c7ac?s=48 sumi
0
500
5b9550b2ea725a86cde115633e7cd162?s=48 muras
0
100
F082484f19b518225501fafa28d05b93?s=48 greymd
0
620
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
0
120
9d9818105b2a10cc4824f70cd17d17b5?s=48 na2neko
0
110

Featured

See All Featured
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
5
660
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
84
7.8k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
9
540
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
13
4.2k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
251
11k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
237
9.9k
78b475797a14c84799063c7cd073962f?s=48 holman
448
130k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
103
5k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
111
9.9k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
267
17k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
225
8.5k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
368
42k

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <rubens.junior@vivareal.com> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You