[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL search attacks

David R. Conrad writes
>Scott Brickner <[email protected]> writes:
>>[email protected] writes
>>>A random (instead
>>>of sequential) allocation _by the keyserver_ (out of unallocated 
>>>piecemeal segments) would also take some work to implement. 
>>The problem is that it's irrelevant to the problem.  Random allocation
>>at the server is equivalent to simply "shuffling" the segments before
>>assignment, which doesn't affect the rate at which the space is searched.
>The point is that if J. Random Badguy knows that the key lies in segment
>0x1bad and wants to get this segment and send a false NAK for it, he can
>watch as key segments are doled out (perhaps with clients running on a
>number of machines) and when 0x1bad gets close, say, when 0x1b0b comes
>out, he can instruct all his clients to start hammering the server for
>all they're worth in an attempt to get the key segment assigned to one
>of his clients.
>If the segments are shuffled before they are handed out then this attack
>becomes impossible, since the attacker has no way of knowing when
>segment 0x1bad will be handed out.

An excellent point.  One I'd missed.  I agree that a random shuffle
of segments is appropriate.