Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Timing Attack
Search
Rubens Stulzer
January 19, 2017
Technology
0
92
Timing Attack
Lightning Talk about how to securely compare two strings, using Rails.
Rubens Stulzer
January 19, 2017
Tweet
Share
More Decks by Rubens Stulzer
See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
230
My trip to Startup Nation
stulzer
0
71
Being Data Driven
stulzer
0
73
Passos para se tornar um programador Ruby
stulzer
0
59
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
190
Other Decks in Technology
See All in Technology
トヨタ生産方式(TPS)入門
recruitengineers
PRO
3
270
自社製CMSからmicroCMSへのリプレースがプロダクトグロースを加速させた話
nextbeatdev
0
140
ECS モニタリング手法大整理
yendoooo
1
120
開発と脆弱性と脆弱性診断についての話
su3158
1
1.1k
VPC Latticeのサービスエンドポイント機能を使用した複数VPCアクセス
duelist2020jp
0
250
退屈なことはDevinにやらせよう〜〜Devin APIを使ったVisual Regression Testの自動追加〜
kawamataryo
3
700
Goss: Faiss向けの新しい本番環境対応 Goバインディング #coefl_go_jp
bengo4com
0
1.4k
Postman MCP 関連機能アップデート / Postman MCP feature updates
yokawasa
1
150
Backboneとしてのtimm2025
yu4u
4
1.6k
EKS Pod Identity における推移的な session tags
z63d
1
210
Effective Match Types - Scala Days 2025
bishabosha
1
110
認知戦の理解と、市民としての対抗策
hogehuga
0
370
Featured
See All Featured
Building Adaptive Systems
keathley
43
2.7k
Designing for humans not robots
tammielis
253
25k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
How to Ace a Technical Interview
jacobian
279
23k
Music & Morning Musume
bryan
46
6.7k
How to train your dragon (web standard)
notwaldorf
96
6.2k
Balancing Empowerment & Direction
lara
2
590
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Producing Creativity
orderedlist
PRO
347
40k
Transcript
Timing Attack
~/awesome/project master= ∴
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens
Stulzer <
[email protected]
> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
String comparison using ==
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D true
Time taken - μ20 true P A S S W
O R D P A S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D false
P I D S I N G T P A
S S W O R D Time taken - μ1 false
This is OK
None
We
We
We Ruby
String comparison is supposed to work like that
The problem is the time taken μ1 - For the
wrong one μ20 - For the right one
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ14 false
We have a pattern here
Longer it takes, more close to discover the password you
are
Avoiding this issue with .secure_compare
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ20 false
None
We
We
We Rails
Thank You