Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Rubens Stulzer
January 19, 2017
Technology
0
72

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
190
My trip to Startup Nation
stulzer
0
59
Being Data Driven
stulzer
0
56
Passos para se tornar um programador Ruby
stulzer
0
47
Using Rails to build Growth Hacks Fast
stulzer
1
110
Using vim faster than the other guy
stulzer
1
180

Other Decks in Technology

See All in Technology
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
150
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
520
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
190
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
480
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
830
ユーザーストーリーのレビューを自動化したみたの
bun913
1
410
On Your Data を超えていく!
hirotomotaguchi
2
650
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
210
JAWS-UG Bedrock Claude Night
yamahiro
3
530
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
4
270
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
1
970
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
240

Featured

See All Featured
Product Roadmaps are Hard
iamctodd
44
9.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Bash Introduction
62gerente
604
210k
Infographics Made Easy
chrislema
238
18k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Designing for Performance
lara
601
67k
Happy Clients
brianwarren
92
6.4k
Rails Girls Zürich Keynote
gr2m
91
13k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <[email protected]> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You