Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Rubens Stulzer
January 19, 2017
Technology
0
83

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
220
My trip to Startup Nation
stulzer
0
66
Being Data Driven
stulzer
0
64
Passos para se tornar um programador Ruby
stulzer
0
55
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
180

Other Decks in Technology

See All in Technology
Women in Agile
kawaguti
PRO
2
170
(Simutrans) 所要時間ベース経路検索のご紹介
teamhimeh
0
100
CloudWatch Container Insightsを使ったAmazon ECSのリソース監視
umekou
1
120
DevSecOps入門:Security Development Lifecycleによる開発プロセスのセキュリティ強化
yuriemori
0
240
信頼性を支えるテレメトリーパイプラインの構築 / Building Telemetry Pipeline with OpenTelemetry
ymotongpoo
9
5k
レイクハウスとはなんだったのか?
akuwano
15
2k
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
10
120k
地方企業がクラウドを活用するヒント
miu_crescent
PRO
1
110
NOSTR, réseau social et espace de liberté décentralisé
rlifchitz
0
130
EDRからERM: PFN-SIRTが関わるセキュリティとリスクへの取り組み
pfn
PRO
0
110
MCP server を作って Claude Desktop アプリから kintone へアクセスすると楽しい
r3_yamauchi
PRO
1
120
業務ツールをAIエージェントとつなぐ - Composio
knishioka
0
110

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
113
50k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
3
380
Producing Creativity
orderedlist
PRO
343
39k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.2k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
520
YesSQL, Process and Tooling at Scale
rocio
171
14k
Mobile First: as difficult as doing things right
swwweet
222
9.2k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
Optimizing for Happiness
mojombo
376
70k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Site-Speed That Sticks
csswizardry
3
310

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <[email protected]> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You