Re: Timing Cryptanalysis Attack

[Eric Young <eay@mincom.oz.au>]

On Tue, 12 Dec 1995, Anonymous wrote:
>  > Timings like the ones listed are trivial to take in
>  > establishing things like SSL sessions, or Photuris sessions.
>  > The danger is to online protocols, not to PGP.
> This must be a new and interesting definition of the word
> "trivial" with which I was previously unfamiliar.
> 
> Quite frankly, I would be extremely surprised if anyone mounted a
> successful hostile attack against a server's RSA certificate
> using timings of remotely initiated SSL sessions outside of a
> controlled laboratory environment.

Well lets put it this way, people have hacked machines through firewalls
via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU
time, are you saying that perhaps being able to break a fixed
Diffie-Hellman key on a central router/computer would not be worth trying. 
Remember, if you broke this key, and had recorded the last 6 months worth
of traffic, you can now decode all of this traffic.  Once you have that
secret key and those packet logs, the decoding is a trivial and mechanical
process (trust me on this one).  One of the major advantages of choosing a
new secret key per HD negotiation is that you loose this capacity to
decrypt previous and future sessions. When we talk about taking 100s of
years to factor large primes, a system that may work after a month or 2 of
collecting data and statistics is definatly an easier proposition,
especially when the reward is all past and future traffic. 

eric
--
Eric Young                  | Signature removed since it was generating
AARNet: eay@mincom.oz.au    | more followups than the message contents :-)