Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Timing Attack
Search
Rubens Stulzer
January 19, 2017
Technology
0
91
Timing Attack
Lightning Talk about how to securely compare two strings, using Rails.
Rubens Stulzer
January 19, 2017
Tweet
Share
More Decks by Rubens Stulzer
See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
230
My trip to Startup Nation
stulzer
0
71
Being Data Driven
stulzer
0
73
Passos para se tornar um programador Ruby
stulzer
0
59
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
190
Other Decks in Technology
See All in Technology
「育てる」サーバーレス 〜チーム開発研修で学んだ、小さく始めて大きく拡張するAWS設計〜
yu_kod
1
200
AI駆動開発 with MixLeap Study【大阪支部 #3】
lycorptech_jp
PRO
0
280
東京海上日動におけるセキュアな開発プロセスの取り組み
miyabit
0
200
Turn Your Community into a Fundraising Catalyst for Black Philanthropy Month
auctria
PRO
0
230
自分がLinc’wellで提供しているプロダクトを理解するためにやったこと
murabayashi
1
170
AI時代の知識創造 ─GeminiとSECIモデルで読み解く “暗黙知”と創造の境界線
nyagasan
0
170
Power Automate のパフォーマンス改善レシピ / Power Automate Performance Improvement Recipes
karamem0
0
280
Tableau API連携の罠!?脱スプシを夢見たはずが、逆に依存を深めた話
cuebic9bic
2
140
完璧を目指さない小さく始める信頼性向上
kakehashi
PRO
0
120
経験がないことを言い訳にしない、 AI時代の他領域への染み出し方
parayama0625
0
270
増え続ける脆弱性に立ち向かう: 事前対策と優先度づけによる 持続可能な脆弱性管理 / Confronting the Rise of Vulnerabilities: Sustainable Management Through Proactive Measures and Prioritization
nttcom
1
220
MCPに潜むセキュリティリスクを考えてみる
milix_m
1
900
Featured
See All Featured
Done Done
chrislema
184
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
It's Worth the Effort
3n
185
28k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Designing Experiences People Love
moore
142
24k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
19k
GitHub's CSS Performance
jonrohan
1031
460k
Documentation Writing (for coders)
carmenintech
72
4.9k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
KATA
mclloyd
30
14k
Transcript
Timing Attack
~/awesome/project master= ∴
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens
Stulzer <rubens.junior@vivareal.com> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
String comparison using ==
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D true
Time taken - μ20 true P A S S W
O R D P A S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D false
P I D S I N G T P A
S S W O R D Time taken - μ1 false
This is OK
None
We
We
We Ruby
String comparison is supposed to work like that
The problem is the time taken μ1 - For the
wrong one μ20 - For the right one
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ14 false
We have a pattern here
Longer it takes, more close to discover the password you
are
Avoiding this issue with .secure_compare
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ20 false
None
We
We
We Rails
Thank You