On Mon, 11 Dec 1995, Anonymous wrote:
pck@netcom.com (Paul C. Kocher) writes: I just read this paper, and while it is somewhat interesting, I don't think the walls of cryptography are in any danger of crumbling. ... So while this is a very nice piece of work, and certainly of theoretical interest, I don't think it will modify the way in which people are advised to utilize cryptographic software, or cause companies like Netscape of RSADSI to shed any tears.
Read the SKIP spec (SKIP is Sun's IP level encryption protocol). It uses Diffle-Hellman certificates. That means fixed secret DH keys being used in routers. It is hard to thing of a better target for this type of attack. I have not done a complete read of the SKIP specification (only a quick scan) so I could be wrong about SKIP but DH certificates sound like a very very bad idea. The other source for attack would be any networked service that is on a local network. Single user machines are far better targes than multi-user systems. That Web server sitting idle not doing much, repeatedly hit it with https requests and if you are on a local network, you should be able to get very good timing information. I for one will probably add a flag for conditional compilation of my bignumber library so that it will take constant time. This may be a %10 slow down (using small windows exponentiation) which is trivial compared to the %30 speedup I will probably get when I implement a faster mod function :-). eric -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-)