Re: Timing Attacks

[eli+@GS160.SP.CS.CMU.EDU]

samman-ben@CS.YALE.EDU writes:
>I'm not so sure I see the great usefulness of this attack.

It appears to be more practical than 99 percent of the "weaknesses"
that get published.  Not bad, I'd say.  It's also a very cute attack;
I'd never have guessed a priori that you could get that many key bits
from timing data.

>work in a lab, with the current advances in computing speed, the 
>differences between a fast and a slow calculation can easily be opaqued 
>by network lag.

"Random delays added to the processing time may increase the number of
ciphertexts required, but do not completely solve the problem since
attackers can compensate for the delay by collecting more
measurements.  (If enough random noise is added, the attack can
become infeasible.)"  [extended abstract, p. 5]

Sufficient network noise *might* make the problem go away, in some
cases, but that's a weak sort of claim to make about a cryptosystem.
(What if the attacker tries at six in the morning, or cracks a machine
local to you, or just gets lucky?)  You might put your server behind a
time-quantizing firewall...

Also, it's not just networked machines.  Smart cards may have a hard
time defending themselves against hostile card readers.  They're slow
already; the user may not appreciate the extra time spent for
obfuscation.  (This depends critically on the numbers, of course.)

--
   Eli Brandt
   eli+@cs.cmu.edu