[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Timing Cryptanalysis Attack



On Mon, 11 Dec 1995, Jeff Weinstein wrote:

> 
>   While an exploit of this attack against our software has not
> been demonstrated, and there is some debate about whether it
> will even work, we are taking it very seriously.  We've been
> working with Paul to develop a fix, which we will implement
> even if the attack is never proven effective against our software.
> 

My gut & scribble-on-the-back-of-a-napkin feeling about this class of 
attack is that it could be a problem for smartcards (almost certainly), 
and possibly for non-routed networks (possibly - napkin was too small  
:-), but is not going to viable on internetworks where routers are in 
use; if a packet enters a queue at any point in its path, then the 
transit time will be quantised by the time it drains the queue, which is 
basically controlled by the time it takes to drain previously queued 
packets; this will destroy any microsecond level correlations that may 
have been leaked. Ron is supposed to be doing a presentation at WWW IV 
later this week - hopefully he'll give his opinion on this.

Definitely a really neat hack, even if it isn't always practical.

Simon
p.s.

 Someone mentioned adding random timings instead of padding out to a 
constant time. This won't work (adding noise doesn't destroy a signal - 
just increases the effort needed to isolate it)