From: Eric Young <eay@mincom.oz.au>
Date: Mon, 11 Dec 95 20:26:50 PST
To: Anonymous <anon-remailer@utopia.hacktic.nl>
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <199512120058.BAA25991@utopia.hacktic.nl>
Message-ID: <Pine.SOL.3.91.951212135724.12253H-100000@orb>
MIME-Version: 1.0
Content-Type: text/plain


On Tue, 12 Dec 1995, Anonymous wrote:
>  > Timings like the ones listed are trivial to take in
>  > establishing things like SSL sessions, or Photuris sessions.
>  > The danger is to online protocols, not to PGP.
> This must be a new and interesting definition of the word
> "trivial" with which I was previously unfamiliar.
> 
> Quite frankly, I would be extremely surprised if anyone mounted a
> successful hostile attack against a server's RSA certificate
> using timings of remotely initiated SSL sessions outside of a
> controlled laboratory environment.

Well lets put it this way, people have hacked machines through firewalls
via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU
time, are you saying that perhaps being able to break a fixed
Diffie-Hellman key on a central router/computer would not be worth trying. 
Remember, if you broke this key, and had recorded the last 6 months worth
of traffic, you can now decode all of this traffic.  Once you have that
secret key and those packet logs, the decoding is a trivial and mechanical
process (trust me on this one).  One of the major advantages of choosing a
new secret key per HD negotiation is that you loose this capacity to
decrypt previous and future sessions. When we talk about taking 100s of
years to factor large primes, a system that may work after a month or 2 of
collecting data and statistics is definatly an easier proposition,
especially when the reward is all past and future traffic. 

eric
--
Eric Young                  | Signature removed since it was generating
AARNet: eay@mincom.oz.au    | more followups than the message contents :-)