Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Timing Attack
Search
Rubens Stulzer
January 19, 2017
Technology
100
0
Share
Timing Attack
Lightning Talk about how to securely compare two strings, using Rails.
Rubens Stulzer
January 19, 2017
More Decks by Rubens Stulzer
See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
250
My trip to Startup Nation
stulzer
0
78
Being Data Driven
stulzer
0
89
Passos para se tornar um programador Ruby
stulzer
0
67
Using Rails to build Growth Hacks Fast
stulzer
1
130
Using vim faster than the other guy
stulzer
1
210
Other Decks in Technology
See All in Technology
社内エンジニア勉強会の醍醐味と苦しみ/tamadev
nishiuma
0
210
2026年、知っておくべき最新 サーバレスTips10選/serverless-10-tips
slsops
13
5.2k
Do Vibe Coding ao LLM em Produção para Busca Agêntica - TDC 2026 - Summit IA - São Paulo
jpbonson
3
120
AWS Agent Registry の基礎・概要を理解する/aws-agent-registry-intro
ren8k
3
380
AIを共同作業者にして書籍を執筆する方法 / How to Write a Book with AI as a Co-Creator
ama_ch
2
130
最初の一歩を踏み出せなかった私が、誰かの背中を押したいと思うようになるまで / give someone a push
mii3king
0
160
Rapid Start: Faster Internet Connections, with Ruby's Help
kazuho
2
610
ネットワーク運用を楽にするAWS DevOps Agent活用法!! / 20260421 Masaki Okuda
shift_evolve
PRO
2
210
Choose your own adventure in agentic design patterns
glaforge
0
140
エージェントスキルを作って自分のインプットに役立てよう
tsubakimoto_s
0
370
Do Ruby::Box dream of Modular Monolith?
joker1007
1
340
AgentCore×VPCでの設計パターンn選と勘所
har1101
3
280
Featured
See All Featured
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
760
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.2k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
200
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.6k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
320
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.9k
Marketing to machines
jonoalderson
1
5.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.1k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
1
190
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.2k
Automating Front-end Workflow
addyosmani
1370
200k
Faster Mobile Websites
deanohume
310
31k
Transcript
Timing Attack
~/awesome/project master= ∴
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens
Stulzer <
[email protected]
> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
String comparison using ==
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D true
Time taken - μ20 true P A S S W
O R D P A S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D false
P I D S I N G T P A
S S W O R D Time taken - μ1 false
This is OK
None
We
We
We Ruby
String comparison is supposed to work like that
The problem is the time taken μ1 - For the
wrong one μ20 - For the right one
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ14 false
We have a pattern here
Longer it takes, more close to discover the password you
are
Avoiding this issue with .secure_compare
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ20 false
None
We
We
We Rails
Thank You
stulzer
nishiuma
slsops
jpbonson
ren8k
ama_ch
mii3king
kazuho
shift_evolve
glaforge
tsubakimoto_s
joker1007
har1101
tomoyanonymous
aleyda
dugsong
tammyeverts
tmiket
addyosmani
jonoalderson
stephenakadiri
joshbly
deanohume
