It also relies on code being structured in such a way that makes detecting this easy. It relies on us developers correctly identifying which fields deserve this designation. Which brings us to the part of this that’s a little less fun: this solution doesn’t technically solve the whole class of problems. Assuming that they’re used incorrectly in the way that we expect. In doing so, the tool identified two more cases that were not identified as part of the pentest, and best of all now that it’s part of our CI pipeline we shouldn’t be seeing this problem in the future. In 1997 a kind of triple DH was proposed by Simon Blake-Wilson, Don Johnson, Alfred Menezes in Key Agreement Protocols and their Security Analysis (1997). Once the tool was built, we just needed to annotate the relevant fields on our structures. Users/rfillion/go/src/go.1password.io/b5/server/src/logic/action/recovery.go:174 Found raw comparison of field 'VerificationToken'. $ go-directequality-checker go.1password.io/b5/server/src/logic/action Using our previous example, this is what it’d look like: Go has just the thing to describe this: field tags. We decided that the best way to do so was to define which fields in a Go struct were not safe to compare in a non-constant-time manner. The only tricky part was to determine how we were going to find these cases without inundating ourselves with false-positives. Luckily for us though, the Go packages library comes with the tools for us to build a custom static analysis solution to this problem! Unfortunately, it can’t help us solve this particular problem. There are a plethora of great static analysis tools for Go, for example there’s securego/gosec to help find security problems. To solve this problem, we used a custom static analysis tool that we now run as part of our continuous integration system so that every Merge Request is pushed to our GitLab instance. How can we ensure that we aren’t making the same mistake elsewhere? We could manually check by searching for ‘user.VerificationToken’ references,’ but how do we ensure this mistake doesn’t happen again? Building a solution As developers we’re less interested in solving one specific problem so much as a whole class of problems. So now we know why doing these comparisons in constant time is important, and how we might go about fixing this particular issue. As a general rule though, we try to make sure that whenever we verify your information we apply constant time comparisons. Sometimes we don’t have a concrete attack in mind - because we can’t always look in the minds of our attackers, or look into the future of how our codebase evolves. Sometimes we have concrete attacks in mind: we don’t want to leak information on whether you supplied the right or wrong session key. One such piece of information is how long the server takes to validate your information. At 1Password we try our best to stop attackers from learning anything about what’s going on inside our servers. VerificationToken ), byte ( token )) != 1Īn identical timeframe for “true” and “false” comparisons minimizes what an attacker can learn from a request. Fixing this is quite simple, you change something that looked like: We use the Go programming language for our server, and Go has the crypto/subtle package which provides functions to do this. A constant-time approach ensures that the comparison always takes the same amount of time, regardless of the outcome. The recipient uses this to effectively prove they received the email and control the email account. In this case, the comparison was a token string that is sent to the user via email. It’s recommended that security-sensitive comparisons be done in a constant-time manner. What are we trying to solve?īefore we get to the solution, let’s talk about the problem. You can expect these to be technical, nerdy, and frankly… not nearly as polished as what our crack marketing and content teams put out. This is the first in a series of new developer-written posts on our blog about Building 1Password, a behind-the-scenes look at what goes into making the app. The fix, while trivial, created an interesting challenge for us: How can we confidently say that we don’t have this issue elsewhere? A recent penetration test by Cure53 identified a case where the 1Password server wasn’t using a constant-time comparison when it should. Now you create a palette that maps ANSI colors to the numbers.At 1Password, we regularly hire outside experts to check our source code and look for security vulnerabilities. Now you create a template with a string of the same character length like this: 0123456 Let's say you have a string like this: Rainbow!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |