1995-12-11 - Timing attacks

Header Data

From: SINCLAIR DOUGLAS N <sinclai@ecf.toronto.edu>
To: cypherpunks@toad.com
Message Hash: 4a00e097fde45e4b3d93a28e5ee67998b30c54553f9bf243a8be2385637708f6
Message ID: <95Dec11.111045edt.4478@cannon.ecf.toronto.edu>
Reply To: N/A
UTC Datetime: 1995-12-11 20:42:24 UTC
Raw Date: Tue, 12 Dec 1995 04:42:24 +0800

Raw message

From: SINCLAIR  DOUGLAS N <sinclai@ecf.toronto.edu>
Date: Tue, 12 Dec 1995 04:42:24 +0800
To: cypherpunks@toad.com
Subject: Timing attacks
Message-ID: <95Dec11.111045edt.4478@cannon.ecf.toronto.edu>
MIME-Version: 1.0
Content-Type: text/plain


I have had some success using timing against UNIX to find out what usernames
are valid on systems with finger &c disabled.  If a username does not exist,
it returns the "Login incorrect" a lot faster than it would if the username
existed but the password was incorrect.  I wonder how many other systems are
vulnerable to this sort of attack.





Thread