pahanix & IT

yet another passionate programmer

16 notes &

Interesting commits #1

Devise. [dd721f] Use secure compare as well.

# constant-time comparison algorithm to prevent timing attacks
def self.secure_compare(a, b)
  return false unless a.present? && b.present?
  return false unless a.bytesize == b.bytesize
  l = a.unpack "C#{a.bytesize}"

  res = 0
  b.each_byte { |byte| res |= byte ^ l.shift }
  res == 0
end

In short, a timing attack uses statistical analysis of how long it takes your application to do something in order to learn something about the data it’s operating on. For HMACs, this means using the amount of time your application takes to compare a given value with a calculated value to learn information about the calculated value.

A Lesson In Timing Attacks

Filed under devise ruby

  1. pahanix posted this