From: Eric Young <eay@mincom.oz.au>
To: Anonymous <anon-remailer@utopia.hacktic.nl>
Message Hash: caba097df2664752ddd60d22a5c50bb7c7ed59eec83a79606fb546ee40aa397a
Message ID: <Pine.SOL.3.91.951212135724.12253H-100000@orb>
Reply To: <199512120058.BAA25991@utopia.hacktic.nl>
UTC Datetime: 1995-12-12 04:26:50 UTC
Raw Date: Mon, 11 Dec 95 20:26:50 PST
From: Eric Young <eay@mincom.oz.au>
Date: Mon, 11 Dec 95 20:26:50 PST
To: Anonymous <anon-remailer@utopia.hacktic.nl>
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <199512120058.BAA25991@utopia.hacktic.nl>
Message-ID: <Pine.SOL.3.91.951212135724.12253H-100000@orb>
MIME-Version: 1.0
Content-Type: text/plain
On Tue, 12 Dec 1995, Anonymous wrote:
> > Timings like the ones listed are trivial to take in
> > establishing things like SSL sessions, or Photuris sessions.
> > The danger is to online protocols, not to PGP.
> This must be a new and interesting definition of the word
> "trivial" with which I was previously unfamiliar.
>
> Quite frankly, I would be extremely surprised if anyone mounted a
> successful hostile attack against a server's RSA certificate
> using timings of remotely initiated SSL sessions outside of a
> controlled laboratory environment.
Well lets put it this way, people have hacked machines through firewalls
via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU
time, are you saying that perhaps being able to break a fixed
Diffie-Hellman key on a central router/computer would not be worth trying.
Remember, if you broke this key, and had recorded the last 6 months worth
of traffic, you can now decode all of this traffic. Once you have that
secret key and those packet logs, the decoding is a trivial and mechanical
process (trust me on this one). One of the major advantages of choosing a
new secret key per HD negotiation is that you loose this capacity to
decrypt previous and future sessions. When we talk about taking 100s of
years to factor large primes, a system that may work after a month or 2 of
collecting data and statistics is definatly an easier proposition,
especially when the reward is all past and future traffic.
eric
--
Eric Young | Signature removed since it was generating
AARNet: eay@mincom.oz.au | more followups than the message contents :-)
Return to December 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”