Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Timing Attack
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Rubens Stulzer
January 19, 2017
Technology
110
0
Share
Timing Attack
Lightning Talk about how to securely compare two strings, using Rails.
Rubens Stulzer
January 19, 2017
More Decks by Rubens Stulzer
See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
260
My trip to Startup Nation
stulzer
0
80
Being Data Driven
stulzer
0
93
Passos para se tornar um programador Ruby
stulzer
0
67
Using Rails to build Growth Hacks Fast
stulzer
1
130
Using vim faster than the other guy
stulzer
1
220
Other Decks in Technology
See All in Technology
Sociotechnical Architecture Reviews: Understanding Teams, not just Artefacts
ewolff
1
170
AI時代の品質はテストプロセスの作り直し #scrumniigata
kyonmm
PRO
4
1.5k
小さいVue.jsを30分で作る
hal_spidernight
0
150
「背中を見て育て」からの卒業 〜専門技術としてのテスト設計を軸に、品質保証のバトンを繋ぐ〜 #genda_tech_talk
nihonbuson
PRO
3
1.3k
AI 時代の Platform Engineering
recruitengineers
PRO
1
170
変化の激しい時代をゴキゲンに生き抜くために 〜ストレスマネジメントのススメ〜
kakehashi
PRO
5
1.3k
20260515 ID管理は会社を守る大切な砦!〜🔰情シス向け〜
oidfj
0
140
Oracle AI Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
6
1.4k
ボトムアップ限界を越える - 20チームを束る "Drive Map" / Beyond Bottom-Up: A 'Drive Map' for 20 Teams
kaonavi
0
200
鹿野さんに聞く!CSSの最新トレンド Ver.2026
tonkotsuboy_com
6
3k
ESP32 IoTを動かしながらメモリ使用量を観測してみた話
zozotech
PRO
0
110
ブラウザの投機的読み込みと投機ルールAPIを理解し、Webサービスのパフォーマンスを最適化する
shuta13
3
310
Featured
See All Featured
RailsConf 2023
tenderlove
30
1.4k
GraphQLとの向き合い方2022年版
quramy
50
15k
Ethics towards AI in product and experience design
skipperchong
2
270
Are puppies a ranking factor?
jonoalderson
1
3.4k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
170
Mobile First: as difficult as doing things right
swwweet
225
10k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
54k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.1k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
Transcript
Timing Attack
~/awesome/project master= ∴
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens
Stulzer <
[email protected]
> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
String comparison using ==
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D true
Time taken - μ20 true P A S S W
O R D P A S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D false
P I D S I N G T P A
S S W O R D Time taken - μ1 false
This is OK
None
We
We
We Ruby
String comparison is supposed to work like that
The problem is the time taken μ1 - For the
wrong one μ20 - For the right one
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ14 false
We have a pattern here
Longer it takes, more close to discover the password you
are
Avoiding this issue with .secure_compare
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ20 false
None
We
We
We Rails
Thank You
stulzer
ewolff
kyonmm
hal_spidernight
nihonbuson
recruitengineers
kakehashi
.png){kind=avatar}
oidfj
oracle4engineer
kaonavi
tonkotsuboy_com
zozotech
shuta13
tenderlove
quramy
skipperchong
jonoalderson
jdejongh
swwweet
madoxten
keithpitt
maggiecrowley
aarron
chriscoyier
scottboms
