1995-12-12 - Re: Timing Cryptanalysis Attack

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: adam@lighthouse.homeport.org (Adam Shostack)
Message Hash: e7f39e030b3cbed69dbbca5a0e3b29bf7aeab93dee8bf9e7f93412398aea18c8
Message ID: <9512121726.AA05382@all.net>
Reply To: <199512121525.KAA09078@homeport.org>
UTC Datetime: 1995-12-12 18:06:25 UTC
Raw Date: Wed, 13 Dec 1995 02:06:25 +0800

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Wed, 13 Dec 1995 02:06:25 +0800
To: adam@lighthouse.homeport.org (Adam Shostack)
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <199512121525.KAA09078@homeport.org>
Message-ID: <9512121726.AA05382@all.net>
MIME-Version: 1.0
Content-Type: text


> Jim Gillogly wrote:
> 
> | > Nathaniel Borenstein <nsb@nsb.fv.com> writes:
> | > Hey, don't go for constant time, that's too hard to get perfect.  Add a
> | > *random* delay.  This particular crypto-flaw is pretty easy to fix. 
> | > (See, I'm not *always* arguing the downside of cryptography!)
> 
> 	Does the delay have to be random, or does the total time for a
> transacation need to be unrelated to the bits in the secret key?
> Assume that the time added is pseudo-random (and confidential).
> Further, for any non-overlapping group of N transactions, the
> distribution of the times fits some predetermined curve, say a bell
> curve.

Random time won't save you - it just increases the noise, thus reducing
the effective bandwidth of the covert channel.  To get the time, I only
need to do enough repetitions of the same computation to eliminate the
effect of the randomness and I have the same resulting information about
the key.

The only way to completely remove covert channels is by making the
measurable time completely independent of the actual time.

One way with the RSA might be to do the encryption with the key and the
inverse of the key (hence all 0s become 1s and 1s become 0s).

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





Thread