Jim Gillogly wrote:
| > Nathaniel Borenstein <nsb@nsb.fv.com> writes: | > Hey, don't go for constant time, that's too hard to get perfect. Add a | > *random* delay. This particular crypto-flaw is pretty easy to fix. | > (See, I'm not *always* arguing the downside of cryptography!)
Does the delay have to be random, or does the total time for a transacation need to be unrelated to the bits in the secret key? Assume that the time added is pseudo-random (and confidential). Further, for any non-overlapping group of N transactions, the distribution of the times fits some predetermined curve, say a bell curve.
Random time won't save you - it just increases the noise, thus reducing the effective bandwidth of the covert channel. To get the time, I only need to do enough repetitions of the same computation to eliminate the effect of the randomness and I have the same resulting information about the key. The only way to completely remove covert channels is by making the measurable time completely independent of the actual time. One way with the RSA might be to do the encryption with the key and the inverse of the key (hence all 0s become 1s and 1s become 0s). -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236