RedDot Ruby Conf 2014

Almacenamiento seguro de contraseñas en aplicaciones Ruby

T.J. Schuck  · 




Extracto de la transcripción automática del vídeo realizada por YouTube.

okay this is a 80,000 plaintext passwords this is an open-source love story in three acts as you were promised in your programs like every good three act play we will start with a dramatis personae a listing of our characters in our play so first this is peppercorn

peppercorn is one of your users dogs and like a good dog owner the instant peppercorn sundar got peppercorn they changed all of their passwords on all of their services to peppercorn this is Mallory Mallory is an attacker Mallory is going to attempt to compromise

all of your users passwords well come back to her in a minute and this is me my name is TJ cook I am on the internet everywhere as TJ shook my name without the dots and spaces github Twitter etc I'm a developer at harvest we make the world's best time

tracking software if you do any consulting or freelance work or if you work for an agency or if you just get paid money for your time you're taught to check out harvest I am from New York and it took me a very long time to get here there you go hey New

York is twelve hours time shifted from here so it is literally halfway around the world it took me more than 24 hours to get here I left on Monday and arrived here on Wednesday so Tuesday just disappeared to the skies so if I start speaking in tongues or anything

it's because like the part of my brain responsible for speech and language got like mixed up while I was time traveling most notably for this talk I am NOT a security expert there are real life security experts that get paid lots of money to know a lot

of stuff about many things I don't know about if you have true security problems you should hire one of them but what is important is that I have to be a security expert strictly by virtue of the fact that I have users if there was a breach or a leak or

anything ignorance is not an excuse you can't say we just didn't know any better that won't absolve you from your sin so I have users so I must be a security expert you probably do as well so this is an attempt to get rid of some of that you know

excuse of ignorance so back to Malory let's talk about her attack good security is about layers you should have application level security to protect against sequel injection XSS CSRF all that fun stuff you should also have infrastructure level security

you should use a secure data center that people just can't walk into you should have physical firewalls between your devices however to truly analyze any individual layer of the security you should assume that all the other ones have failed so we have

to assume that this works Malory can just run her script and get a database dump of your users table so with that in mind let's kind of analyze how we could keep track of your users passwords to let them authenticate the easiest option is just plain text

just store your plain text passwords of your users this is obviously bad and no one here is doing this right right no one raised their hand but someone here is doing it they don't want to admit it but they do it because they have reasons you know they

just they run a site that's for ranking animated gifs it doesn't matter if there's a leak people will just be able to rank gifts on your user's behalf whatever but that that's not true because users reuse passwords we learned this about

peppercorns owners so when your database gets breached and they find out that your users passwords peppercorn they immediately go from your gif ranking site to banking websites and Gmail and Facebook and try that same password and because users use the same

passwords everywhere that will work and they will get in further and it will have a deeper leak into their online identity so we know this is bad so we need some way to obfuscate the data in this dump so the obvious first thing is well just encrypt it this

is a very secure encryption cipher known as wrote thirteen rot13 a Caesar cipher with a key thirteen you take all the characters and you move by 13 so a becomes n B becomes o C becomes P it's a nearly uncrackable unless you have the key this for example

could be something more complex like des 3 or a es 256 but the key to all of them is that they are reversible if you have the key so for this the key is 13 if you know that you can decrypt it for the other ones if you have the key you can decrypt it this is

bad though because our system is already compromised we also have to assume that if she was able to get a database dump she also has access to our application code where a secret might be or just the physical servers where the keys might be it's also important

to realize that an attacker could be a malicious employee they have access to a lot of your things that you know if they wanted to use them wrongly they could so the key here is that encryption is reversible the data is obvious gated but anyone with that secret

can decrypt it hashing is irreversible and that's kind of where we need to go to avoid being able to just take that dump and reverse everything out to get plaintext passwords so if you have the hashing function and you pass something into it like peppercorn

you get something out and then if you take something else like secret 1 2 3 4 and hash it you get something else out this hash is the output but if you have a hash there's no inverse function that you can apply to it to get the input so that's how

we kind of you know go one way there another benefit of hashing is that it's deterministic so if you have peppercorn you get an output if you hash peppercorn again you get the same output if you hash it a third time you get the same output so what's

[ ... ]

Nota: se han omitido las otras 2.822 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.