1995-12-14 - Re: Kocher’s RSA attack

Header Data

From: hallam@w3.org
To: rschlafly@attmail.com (Roger Schlafly)
Message Hash: 2d88d1c22c27d1ef1437cba9c85127502acfe71b050a4f8b53338f197b1986cf
Message ID: <9512141640.AA22375@zorch.w3.org>
Reply To: <rschlafly3480927310>
UTC Datetime: 1995-12-14 19:35:34 UTC
Raw Date: Fri, 15 Dec 1995 03:35:34 +0800

Raw message

From: hallam@w3.org
Date: Fri, 15 Dec 1995 03:35:34 +0800
To: rschlafly@attmail.com (Roger Schlafly)
Subject: Re: Kocher's RSA attack
In-Reply-To: <rschlafly3480927310>
Message-ID: <9512141640.AA22375@zorch.w3.org>
MIME-Version: 1.0
Content-Type: text/plain



Further to Roger's comments that modular multiplies in software probably do
not allow the timing attacks.

On the internet the randomness introduced by the network probably hides
the timing of the cryptography. I say probably because I am at a conference
and have not got the maths texts to hand. I would guess however that
Shanon's paper on communications bandwidth and some empirical results on
the timing characteristics of the network would allow one to demonstrate that
the attack is infeasible.

On the other hand the attack is quite likely to work against some smart
cards. In particular there are many which do not have specialized modular
multiplication facilities. These use software to implement bignum arithmetic. 
Since smartcards also tend to be slow processors the arithmetic may well have been speeded up with the type of optimisation
been speeded up in an RSAREF type manner.

A conclusion which might be reached is that smartcards should in future contain 
contain a timer which is started at the beginnin of every cryptographic
operation and a delay loop introduced to ensure that the time taken is always
the same. The alternative of attempting to ensure that equal processing is
spent on each cycle threatens an infinite regress into second and third order
effects, eg frequency of page faults. Covert channel analysis is bad enough
as it is.

Perhaps we should concentrate on the question of how the timing attack bight be used
in a workstation environment. Here covert channels are very relevant - with the
proviso that we do not have a process concealment problem but a security 
partitioning problem. Consider the problem of a cryptographic file store where
the users do not have access to a private key used to make files accessible.

I suggest that we attempt to break out these attacks into categories, label 
the categories and produce a companion guide to the attack paper describing its
system level implications. I beleive that such a task is best done in 
a collaborative medium such as this list. We need as many people as possible to
consider the possible attack modes. Nobody is likely to think of them all.

	Phill






Thread