1995-12-14 - Re: Timing Cryptanalysis Attack

Header Data

From: hoz@univel.telescan.com (rick hoselton)
To: cypherpunks@toad.com
Message Hash: d73bca18ce8bfc14ef630da3ee89f3d1378635b1848d8fd6884723f89afa1a94
Message ID: <9512141637.AA11479@toad.com>
Reply To: N/A
UTC Datetime: 1995-12-14 17:32:22 UTC
Raw Date: Fri, 15 Dec 1995 01:32:22 +0800

Raw message

From: hoz@univel.telescan.com (rick hoselton)
Date: Fri, 15 Dec 1995 01:32:22 +0800
To: cypherpunks@toad.com
Subject: Re: Timing Cryptanalysis Attack
Message-ID: <9512141637.AA11479@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


At 03:42 PM 12/14/95 +0100, Lars Johansson wrote:

>>Does the attack work for existing smartcards?

>At first glance, smart cards would seem to be the most critical target
>to Kocher's timing attack since they usually operate in on-line
>environments.

Not just on-line, they also operate in untrusted (hostile?) 
environments.

>...the terminal could get a (noisy) measure of the time by 
> repeatingly use this command to see when the result is available.

Might a terminal also be able to monitor power consumption or 
electromagnetic emissions to obtain a more precise time estimate?

>Most smart cards does nevertheless require that the user must first
>specify a PIN code before the RSA algorithms are operationable.

If I used my RSA card every day, (at a toll booth, for instance), and 
the "bad guys" pilfered an "exact" timing upon each use, how long before 
they could forge a signature?

>This implies that even if the card gets stolen can't it be attacked
>with Kocher's method.

That is useful, but if I know my card is stolen, I can presumably limit 
my liability by reporting it.  If I still have my card, but my secret 
key is stolen, then damage might be greater.


On another note, timing attacks would not seem to work against 
most DES implementations,  hardware or software.  The time to execute 
each round does not seem to depend on the plaintext or the key.  It could 
be made to, of course, but unless I'm missing something, the "natural" way to 
code it, or to construct hardware for it, is not time dependent.  










Rick F. Hoselton  (who doesn't claim to present opinions for others)






Thread