Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Timing Attack

Rubens Stulzer
January 19, 2017
Technology
0
83

Timing Attack

Lightning Talk about how to securely compare two strings, using Rails.

Rubens Stulzer

January 19, 2017
Tweet

More Decks by Rubens Stulzer

See All by Rubens Stulzer
Microservices - To hell and back
stulzer
0
210
My trip to Startup Nation
stulzer
0
62
Being Data Driven
stulzer
0
63
Passos para se tornar um programador Ruby
stulzer
0
54
Using Rails to build Growth Hacks Fast
stulzer
1
120
Using vim faster than the other guy
stulzer
1
180

Other Decks in Technology

See All in Technology
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
130
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
570
Terraform Stacks入門 #HashiTalks
msato
0
370
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
140
The Role of Developer Relations in AI Product Success.
giftojabu1
0
160
Mastering Quickfix
daisuzu
1
350
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
490
【LT】ソフトウェア産業は進化しているのか? #Agilejapan
takabow
0
120
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
810
Chasing the White Whale of Open Source - ROI
mrbobbytables
0
120
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
340
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k

Featured

See All Featured
Docker and Python
trallard
40
3.1k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
380
Code Review Best Practice
trishagee
64
17k
Visualization
eitanlees
145
15k
Producing Creativity
orderedlist
PRO
341
39k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Designing Experiences People Love
moore
138
23k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k

Transcript

  1. Timing Attack

  2. ~/awesome/project master= ∴

  3. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb

  4. ~/awesome/project master= ∴ git show f19c712702c9fced2461eabd2443c1009baffebb commit f19c712702c9fced2461eabd2443c1009baffebb Author: Rubens

    Stulzer <[email protected]> Date: Wed Apr 13 17:27:40 2016 -0300 Improves security when comparing password diff --git a/app/models/session.rb b/app/models/session.rb index 7041c8a..685c247 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -89,7 +89,7 @@ private def password_match? - salted_user_password == salted_db_password + ActiveSupport::SecurityUtils.secure_compare(salted_user_password, salted_db_password) end

  5. String comparison using ==

  6. P A S S W O R D P A

    S S W O R D

  7. P A S S W O R D P A

    S S W O R D

  8. P A S S W O R D P A

    S S W O R D

  9. P A S S W O R D P A

    S S W O R D

  10. P A S S W O R D P A

    S S W O R D

  11. P A S S W O R D P A

    S S W O R D

  12. P A S S W O R D P A

    S S W O R D

  13. P A S S W O R D P A

    S S W O R D

  14. P A S S W O R D P A

    S S W O R D

  15. P A S S W O R D P A

    S S W O R D

  16. P A S S W O R D P A

    S S W O R D

  17. P A S S W O R D P A

    S S W O R D

  18. P A S S W O R D P A

    S S W O R D

  19. P A S S W O R D P A

    S S W O R D

  20. P A S S W O R D P A

    S S W O R D

  21. P A S S W O R D P A

    S S W O R D

  22. P A S S W O R D P A

    S S W O R D

  23. P A S S W O R D P A

    S S W O R D

  24. P A S S W O R D P A

    S S W O R D true

  25. Time taken - μ20 true P A S S W

    O R D P A S S W O R D

  26. P I D S I N G T P A

    S S W O R D

  27. P I D S I N G T P A

    S S W O R D

  28. P I D S I N G T P A

    S S W O R D

  29. P I D S I N G T P A

    S S W O R D

  30. P I D S I N G T P A

    S S W O R D

  31. P I D S I N G T P A

    S S W O R D

  32. P I D S I N G T P A

    S S W O R D false

  33. P I D S I N G T P A

    S S W O R D Time taken - μ1 false

  34. This is OK

  35. None

  36. We

  37. We

  38. We Ruby

  39. String comparison is supposed to work like that

  40. The problem is the time taken μ1 - For the

    wrong one μ20 - For the right one

  41. P A S S W O R D P A

    S S I N G T

  42. P A S S I N G T P A

    S S W O R D

  43. P A S S I N G T P A

    S S W O R D

  44. P A S S W O R D P A

    S S I N G T

  45. P A S S I N G T P A

    S S W O R D

  46. P A S S I N G T P A

    S S W O R D

  47. P A S S I N G T P A

    S S W O R D

  48. P A S S I N G T P A

    S S W O R D

  49. P A S S I N G T P A

    S S W O R D

  50. P A S S I N G T P A

    S S W O R D

  51. P A S S I N G T P A

    S S W O R D

  52. P A S S I N G T P A

    S S W O R D

  53. P A S S I N G T P A

    S S W O R D false

  54. P A S S I N G T P A

    S S W O R D Time taken - μ14 false

  55. We have a pattern here

  56. Longer it takes, more close to discover the password you

    are

  57. Avoiding this issue with .secure_compare

  58. P A S S W O R D P A

    S S I N G T

  59. P A S S I N G T P A

    S S W O R D

  60. P A S S I N G T P A

    S S W O R D

  61. P A S S W O R D P A

    S S I N G T

  62. P A S S I N G T P A

    S S W O R D

  63. P A S S I N G T P A

    S S W O R D

  64. P A S S I N G T P A

    S S W O R D

  65. P A S S I N G T P A

    S S W O R D

  66. P A S S I N G T P A

    S S W O R D

  67. P A S S I N G T P A

    S S W O R D

  68. P A S S I N G T P A

    S S W O R D

  69. P A S S I N G T P A

    S S W O R D

  70. P A S S I N G T P A

    S S W O R D

  71. P A S S I N G T P A

    S S W O R D

  72. P A S S I N G T P A

    S S W O R D

  73. P A S S I N G T P A

    S S W O R D

  74. P A S S I N G T P A

    S S W O R D

  75. P A S S I N G T P A

    S S W O R D

  76. P A S S I N G T P A

    S S W O R D false

  77. P A S S I N G T P A

    S S W O R D Time taken - μ20 false
  78. None

  79. We

  80. We

  81. We Rails

  82. Thank You