Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Rubens Stulzer
January 19, 2017
Technology
0
83

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
210
My trip to Startup Nation
stulzer
0
62
Being Data Driven
stulzer
0
63
Passos para se tornar um programador Ruby
stulzer
0
54
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
180

Other Decks in Technology

See All in Technology
PHPerのための計算量入門/Complexity101 for PHPer
hanhan1978
5
780
型情報を用いたLintでコード品質を向上させる
sansantech
PRO
2
160
12 Days of OpenAIから読み解く、生成AI 2025年のトレンド
shunsukeono_am
0
600
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
600
Yahoo! ズバトクにおけるフロントエンド開発
lycorptech_jp
PRO
0
110
Web APIをなぜつくるのか
mikanichinose
0
480
非機能品質を作り込むための実践アーキテクチャ
knih
5
1.7k
組み込みアプリパフォーマンス格闘記 検索画面編
wataruhigasi
1
180
LINEスキマニにおけるフロントエンド開発
lycorptech_jp
PRO
0
360
いまからでも遅くないコンテナ座学
nomu
0
150
Wantedly での Datadog 活用事例
bgpat
2
790
最近のSfM手法まとめ - COLMAP / GLOMAPを中心に -
kwchrk
7
1.4k

Featured

See All Featured
Speed Design
sergeychernyshev
25
680
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Bash Introduction
62gerente
609
210k
Visualization
eitanlees
146
15k
How to train your dragon (web standard)
notwaldorf
88
5.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.2k
Docker and Python
trallard
42
3.2k
The World Runs on Bad Software
bkeepers
PRO
66
11k
Code Review Best Practice
trishagee
65
17k

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <[email protected]> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You