1995-12-11 - Timing Cryptanalysis Attack

Header Data

From: anon-remailer@utopia.hacktic.nl (Anonymous)
To: cypherpunks@toad.com
Message Hash: 414442e89de9e4301899923c34a456ac351606a8009ed18eef749822051ddcaf
Message ID: <199512110845.JAA25564@utopia.hacktic.nl>
Reply To: N/A
UTC Datetime: 1995-12-11 09:12:49 UTC
Raw Date: Mon, 11 Dec 1995 17:12:49 +0800

Raw message

From: anon-remailer@utopia.hacktic.nl (Anonymous)
Date: Mon, 11 Dec 1995 17:12:49 +0800
To: cypherpunks@toad.com
Subject: Timing Cryptanalysis Attack
Message-ID: <199512110845.JAA25564@utopia.hacktic.nl>
MIME-Version: 1.0
Content-Type: text/plain



pck@netcom.com (Paul C. Kocher) writes:

 > I've just released details of an attack many of you will
 > find interesting since quite a few existing cryptography
 > products and systems are potentially at risk.  The general
 > idea of the attack is that secret keys can be found by
 > measuring the amount of time used to to process messages.

I just read this paper, and while it is somewhat interesting, I
don't think the walls of cryptography are in any danger of
crumbling.

People employing systems like PGP are already advised to use them
on private machines, with only one user, and untampered-with
binaries.  Under such circumstances, the collecting of statistics
necessary to employ a timing attack would be difficult at best,
and anyone doing a "black bag" job on the platform would be
better advised to use a direct attack like a passphrase-sniffer
as opposed to a complex statistical approach.

On Networked systems with many users, where one is advised not to
decrypt with or store ones private key, the situation is of
course different.  But again, another user with the ability to
monitor the timing of specific subroutines in ones cryptographic
software or feed that software enough chosen data to generate a
statistical profile of the key, would doubtless have an
opportunity to compromise the system in other ways.

In the particular case of RSA used to sign messages or transmit
session keys, the values being exponentiated are either highly
random or strongly hashed, and the opportunity of an opponent to
time numerical routines with data of his own choosing is
non-existant.

So while this is a very nice piece of work, and certainly of
theoretical interest, I don't think it will modify the way in
which people are advised to utilize cryptographic software, or
cause companies like Netscape of RSADSI to shed any tears.

                                   -Bourbaki 137








Thread