1995-12-17 - Re: kocher’s timing attack

Header Data

From: “Jonathan M. Bresler” <jmb@FreeBSD.ORG>
To: Hal <hfinney@shell.portal.com>
Message Hash: 8984dcd7636a00a0d6eb47b65e3ecc04f835ec23e05073da52fc8593faf436d2
Message ID: <Pine.BSF.3.91.951216181017.28505B-100000@Aspen.Woc.Atinc.COM>
Reply To: <199512151457.GAA27245@jobe.shell.portal.com>
UTC Datetime: 1995-12-17 00:01:27 UTC
Raw Date: Sun, 17 Dec 1995 08:01:27 +0800

Raw message

From: "Jonathan M. Bresler" <jmb@FreeBSD.ORG>
Date: Sun, 17 Dec 1995 08:01:27 +0800
To: Hal <hfinney@shell.portal.com>
Subject: Re: kocher's timing attack
In-Reply-To: <199512151457.GAA27245@jobe.shell.portal.com>
Message-ID: <Pine.BSF.3.91.951216181017.28505B-100000@Aspen.Woc.Atinc.COM>
MIME-Version: 1.0
Content-Type: text/plain


On Fri, 15 Dec 1995, Hal wrote:

> As Kocher's paper implies, the known ciphertext attack is a TIMING
> attack.  Simply accumulating known text/signature pairs as you would have
> after a "key signing party" does not help.  You must know exactly how
> much time each signature took.

	how to use a timing attack?  across a network?  on the same host 
(therefore multiuser)?   or on a dedicated host, with a know algorithm 
and known ciphertext running DOS (no kernel or anything to preempt the 
process)?   using the famous appendix H registers of a 586 allows you to 
time the processing of instructions very well.

	dont have to know how long it takes to encrypt ahead of time.  
walk the key bit by bit (ouch bad pun) guessing 1 or 0 each time and 
looking to see if the correlations continue to appear or not.  horrendous 
problem, but a lot better than brute force.

	i really need to read the final paper when it is issued.

jmb

Jonathan M. Bresler        FreeBSD Postmaster         jmb@FreeBSD.ORG
play go. ride bike. hack FreeBSD.--ah the good life 
i am moving to a new job.                 PLEASE USE: jmb@FreeBSD.ORG






Thread