1995-12-12 - Re: Timing Cryptanalysis Attack

Header Data

From: Simon Spero <ses@tipper.oit.unc.edu>
To: Jeff Weinstein <jsw@netscape.com>
Message Hash: 017d2a465f26d459d709a0978271458f0e7b3375f87edf61b199471c4e8b43b3
Message ID: <Pine.SUN.3.91.951212104716.29421B-100000@tipper.oit.unc.edu>
Reply To: <30CC0D31.293C@netscape.com>
UTC Datetime: 1995-12-12 16:56:02 UTC
Raw Date: Wed, 13 Dec 1995 00:56:02 +0800

Raw message

From: Simon Spero <ses@tipper.oit.unc.edu>
Date: Wed, 13 Dec 1995 00:56:02 +0800
To: Jeff Weinstein <jsw@netscape.com>
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <30CC0D31.293C@netscape.com>
Message-ID: <Pine.SUN.3.91.951212104716.29421B-100000@tipper.oit.unc.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, 11 Dec 1995, Jeff Weinstein wrote:

> 
>   While an exploit of this attack against our software has not
> been demonstrated, and there is some debate about whether it
> will even work, we are taking it very seriously.  We've been
> working with Paul to develop a fix, which we will implement
> even if the attack is never proven effective against our software.
> 

My gut & scribble-on-the-back-of-a-napkin feeling about this class of 
attack is that it could be a problem for smartcards (almost certainly), 
and possibly for non-routed networks (possibly - napkin was too small  
:-), but is not going to viable on internetworks where routers are in 
use; if a packet enters a queue at any point in its path, then the 
transit time will be quantised by the time it drains the queue, which is 
basically controlled by the time it takes to drain previously queued 
packets; this will destroy any microsecond level correlations that may 
have been leaked. Ron is supposed to be doing a presentation at WWW IV 
later this week - hopefully he'll give his opinion on this.

Definitely a really neat hack, even if it isn't always practical.

Simon
p.s.

 Someone mentioned adding random timings instead of padding out to a 
constant time. This won't work (adding noise doesn't destroy a signal - 
just increases the effort needed to isolate it)






Thread