18
Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety [email protected] dev.mensfeld.pl github.com/mensfeld senior ruby [email protected] senior ruby [email protected]

Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety [email protected] dev.mensfeld.pl

Embed Size (px)

Citation preview

Page 1: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Presented by:

Maciej Mensfeld

User authorization & safety

[email protected]

github.com/mensfeld

senior ruby [email protected] ruby [email protected]

Page 2: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Presented by:

Maciej Mensfeld

User authorization & safety

[email protected]

github.com/mensfeld

senior ruby [email protected] ruby [email protected]

Page 3: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Ruby on Rails: User authorization & safety

Maciej Mensfeld

Please…

• …ask me to slow down, if I speak to quickly;• …ask me again, if I forget;

• …ask questions, if anything i say is not clear;• …feel free to share your own observations

User authorization & safety

Page 4: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Let’s start with a naive approach!

Password

LoginDB

Password

LoginDB

Page 5: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

And… let’s do it!

User model (or an update if already exist) rails g migration NAME

login: string, null: false, unique: truepassword: string, null: false

Page 6: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Quite good but…

What’s wrong with this approach?

Page 7: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

But we don’t have any data that…

Most of stolen data can be used somehow!

Page 8: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Simple case study

SHA + Salt @ Shippuuden.pl

Page 9: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Maciej Mensfeld

•You should not use MD5•You should not use MD5(MD5)•Any Hash algorithm can be broken with bruteforce attack•Any bruteforce attack can be faster with rainbow tables•It is way easier when passwords are short :)

Static vs dynamic salt

md5(md5), sha2(sha2)

Chapter 3.3 - User authorization & safety

Simple case study

Page 10: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Secure Salted Password Hashing

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Page 11: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Secure Salted Password Hashing

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Page 12: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

What is a cryptographic hash?

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the

(cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often

called the “message,” and the hash value is sometimes called the message digest or simply digest.

4e2ecff8f8be5a7d4d8821266d956d844aa5b8eebd5983edbaaa6fa7fc9bc9e21de42d443f50d8608a79f6507b7e95c6d4a913615c85710f86a40bc23cdc5d5d

Page 13: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Chapter 3.3 - User authorization & safety

Maciej Mensfeld

Passwords should not be weak!When we store users passwords in our systems (databases, files, etc), they should be safe. If we get hacked and our database will get stolen, passwords should be protected. No one should be able to read them.

Most users have one password for all their web-activities, so if this password get stolen, probably cracker will be able to log in into victim

Facebook, Twitter and any other web accounts.

But what about brute-force attacks? Any password should be validated before use. They should not be to short or two simple. We can do it by using regular

expression:

^(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){8,40}$

^(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){8,40}$

Page 14: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Salt, salt, saltHow tu generate and use salt? The easiest way is to use one, global salt. Example:

As you can see above – using salt will dramatically increase password power. One global salt has one major and really big disadvantage. If two users have same

password they will also have same output hash. So, if we have a lot of users and some of them have same hashed password, we need to figure out only one hash and we will have access to accounts of the rest of users with same hash. We can

also generate our own rainbow table dedicated for our cryptographic hash function and salt.

Page 15: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Salt, salt, saltTo protect against such behaviours we should use uniq per user salt. How to generate such salt? Combine some per user data and some

random stuff. Example:

We store salt with password hash. Don’t worry – it is safe. Since each user has his own uniq hash, there does not exist any general rainbow table. Mix password,

dynamic and static salt and you will be safe. Furthermore, when mixing salts and password in a uniq way – until cracker steals database and source codes, he will not

know how to generate rainbow tables. Example:

Page 16: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Let’s implement! require ‘digest/sha2’

What do we need?

Password and password confirmation

salt (persisted)hashed_password

(persisted)

Login

Logout

password checker

hashed password generator

salt generator

Page 17: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Maciej Mensfeld

Chapter 3.3 - User authorization & safety

Spec for User model

Put the test spec into test/units directory

ruby -Itest ./test/units/user_test.rb

Page 18: Chapter 3.3 - User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety maciej@mensfeld.pl dev.mensfeld.pl

Ruby: User authorization & safety

Maciej Mensfeld

Live long and prosper!

Presented by:

Maciej Mensfeld

[email protected]

github.com/mensfeld