Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Timing Attack
Search
Rubens Stulzer
January 19, 2017
Technology
0
91
Timing Attack
Lightning Talk about how to securely compare two strings, using Rails.
Rubens Stulzer
January 19, 2017
Tweet
Share
More Decks by Rubens Stulzer
See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
230
My trip to Startup Nation
stulzer
0
71
Being Data Driven
stulzer
0
72
Passos para se tornar um programador Ruby
stulzer
0
59
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
190
Other Decks in Technology
See All in Technology
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
visional_engineering_and_design
3
6.7k
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
lycorptech_jp
PRO
0
170
Tech-Verse 2025 Keynote
lycorptech_jp
PRO
0
1.8k
本が全く読めなかった過去の自分へ
genshun9
0
910
Core Audio tapを使ったリアルタイム音声処理のお話
yuta0306
0
180
作曲家がボカロを使うようにPdMはAIを使え
itotaxi
0
440
MobileActOsaka_250704.pdf
akaitadaaki
0
110
なぜ私はいま、ここにいるのか? #もがく中堅デザイナー #プロダクトデザイナー
bengo4com
0
1.3k
ドメイン特化なCLIPモデルとデータセットの紹介
tattaka
2
580
CursorによるPMO業務の代替 / Automating PMO Tasks with Cursor
motoyoshi_kakaku
2
930
2025-07-06 QGIS初級ハンズオン「はじめてのQGIS」
kou_kita
0
160
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
240
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
140
7k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Agile that works and the tools we love
rasmusluckow
329
21k
Typedesign – Prime Four
hannesfritz
42
2.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
53k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
The Invisible Side of Design
smashingmag
301
51k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Statistics for Hackers
jakevdp
799
220k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Transcript
Timing Attack
~/awesome/project master= ∴
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb
~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens
Stulzer <
[email protected]
> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end
String comparison using ==
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D
P A S S W O R D P A
S S W O R D true
Time taken - μ20 true P A S S W
O R D P A S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D
P I D S I N G T P A
S S W O R D false
P I D S I N G T P A
S S W O R D Time taken - μ1 false
This is OK
None
We
We
We Ruby
String comparison is supposed to work like that
The problem is the time taken μ1 - For the
wrong one μ20 - For the right one
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ14 false
We have a pattern here
Longer it takes, more close to discover the password you
are
Avoiding this issue with .secure_compare
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S W O R D P A
S S I N G T
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D
P A S S I N G T P A
S S W O R D false
P A S S I N G T P A
S S W O R D Time taken - μ20 false
None
We
We
We Rails
Thank You