secure_equals 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f9883242630ffc2552eb1859d0a0b869f218237b
+  data.tar.gz: 0222f297a7683a1927b92241e7fde4de2c9618f4
+SHA512:
+  metadata.gz: 0ba9b81d792b35adcabbe6163debddf1f8107b11c62b5c12d60cba6d4feab8577ae08a15aaea9bfe692712a5fce9d1d8ad84ecb5c2888a616646381ffdad3700
+  data.tar.gz: e66e06d162ac9d9983533330ea9d9e77d873bbbc4f9e63144dedfd5d196eaf02720a3c7dce13dceacd78618a8a48424731caac22959995ede2ccc63ffc60c9e7

data/README.md

@@ -0,0 +1,27 @@
+Secure equals provides a constant time equality method for ruby strings.
+
+By avoiding any branches that depend on the similarity of the two strings,
+we make it significantly harder for an attacker to discover properties of
+the secret by observing the time it takes to run the comparison.
+
+You should use this for checking checksums or shared secrets in your code.
+
+## Installation
+
+You can either `gem install secure_equals` or add `gem 'secure_equals'` to your Gemfile and then run `bundle install`
+
+## Usage
+
+```ruby
+SecureEquals.equal? checksum, @params[:checksum]
+```
+
+## TODO
+
+I was unable to implement a successful timing attack against ruby's string == on my Mac Book Pro; so while the code here looks promising, I've not actually been able to verify that it actually solves the problem.
+
+We should try running the attack on 16- and 32- byte sized chunks instead of the character-by-character mode, as I suspect the problem is memcmp(). Alternatively there might be a way to get higher resolution timings, or to use some stats that I don't know about, to make it work.
+
+## BUGS
+
+I'm pretty sure this must already exist somewhere...

data/lib/secure_equals.rb

@@ -0,0 +1,23 @@
+module SecureEquals
+  # Provides an equality method on strings that is not vulnerable to timing attacks.
+  #
+  # This prevents attackers from being able to guess the answer byte-by-byte using
+  # tiny differences in response time.
+  #
+  # @param [String] The secret string
+  # @param [String] The string provided by the user
+  # @return [Boolean] Are the strings the same?
+  #
+  def self.equal?(mine, theirs)
+    mine = mine.to_str
+    theirs = theirs.to_str
+    return false unless mine.length == theirs.length
+
+    difference = 0
+    0.upto(mine.length - 1) do |i|
+      difference |= (mine[i].ord ^ theirs[i].ord)
+    end
+
+    difference == 0
+  end
+end

data/secure_equals.gemspec

@@ -0,0 +1,12 @@
+Gem::Specification.new do |s|
+  s.name = "secure_equals"
+  s.version = "0.1"
+  s.platform = Gem::Platform::RUBY
+  s.author = "Conrad Irwin"
+  s.email = "conrad.irwin@gmail.com"
+  s.homepage = "http://github.com/Conradirwin/secure_equals"
+  s.summary = "Provides constant time equality for ruby strings"
+  s.description = "Constant time equality (also known as time insensitive equality) lets you compare user-provided strings with secrets in a way that does not leak data about those secrets."
+  s.files = `git ls-files`.split("\n")
+  s.require_path = "lib"
+end

data/test/timing_attack.rb

@@ -0,0 +1,80 @@
+require_relative '../lib/secure_equals'
+require 'securerandom'
+require 'hitimes'
+GC.disable
+
+class Box
+  def initialize
+    @secret = '0123456789abcdeffedcba0987654321'
+  end
+
+  # The expected score of a random guess is 0.5.
+  # The expected score of the correct answer is 1.
+  #
+  # If you are able to get scores consistently higher
+  # than 0.5 using only the guess method, then you
+  # have a successful timing attack.
+  def score(str)
+    score = 0.0
+    mine = @secret.each_byte.map{ |x| x.to_s(2) }.join
+    theirs = str.each_byte.map{ |x| x.to_s(2) }.join
+
+    mine.each_byte.zip(theirs.each_byte) do |a,b|
+      score += 1 if a == b
+    end
+    (score / mine.length)
+  end
+
+  class Weak < Box
+    def guess(str)
+      0.upto(@secret.length - 1) do |i|
+        return false unless @secret[i] == str[i]
+      end
+      true
+    end
+  end
+
+  class Standard < Box
+    def guess(str)
+      @secret == str
+    end
+  end
+
+  class Secure < Box
+    def guess(str)
+      SecureEquals.same? @secret, str
+    end
+  end
+end
+
+def brute_force(box, trials)
+  scores = []
+  1.times do
+    guess = '0' * 32
+    (0..32).each do |pos|
+      max = 0
+      result = nil
+      this_time = guess.dup
+      'abcdef0123456789'.each_char do |letter|
+        this_time[pos] = letter
+        time = Hitimes::Interval.measure do
+          trials.times{ box.guess this_time }
+        end
+        if time > max
+          max = time
+          result = letter
+        end
+      end
+      guess[pos] = result
+    end
+    scores << box.score(guess)
+  end
+
+  puts "average: #{scores.inject(&:+) / scores.size}"
+end
+
+10.times do
+  brute_force Box::Weak.new, 1000
+  brute_force Box::Standard.new, 100000
+  brute_force Box::Secure.new, 1000000
+end

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: secure_equals
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Conrad Irwin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-11-11 00:00:00.000000000 Z
+dependencies: []
+description: Constant time equality (also known as time insensitive equality) lets
+  you compare user-provided strings with secrets in a way that does not leak data
+  about those secrets.
+email: conrad.irwin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/secure_equals.rb
+- secure_equals.gemspec
+- test/timing_attack.rb
+homepage: http://github.com/Conradirwin/secure_equals
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Provides constant time equality for ruby strings
+test_files: []
+has_rdoc: