On Tue, 12 Dec 1995, Anonymous wrote:
Timings like the ones listed are trivial to take in establishing things like SSL sessions, or Photuris sessions. The danger is to online protocols, not to PGP. This must be a new and interesting definition of the word "trivial" with which I was previously unfamiliar.
Quite frankly, I would be extremely surprised if anyone mounted a successful hostile attack against a server's RSA certificate using timings of remotely initiated SSL sessions outside of a controlled laboratory environment.
Well lets put it this way, people have hacked machines through firewalls via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU time, are you saying that perhaps being able to break a fixed Diffie-Hellman key on a central router/computer would not be worth trying. Remember, if you broke this key, and had recorded the last 6 months worth of traffic, you can now decode all of this traffic. Once you have that secret key and those packet logs, the decoding is a trivial and mechanical process (trust me on this one). One of the major advantages of choosing a new secret key per HD negotiation is that you loose this capacity to decrypt previous and future sessions. When we talk about taking 100s of years to factor large primes, a system that may work after a month or 2 of collecting data and statistics is definatly an easier proposition, especially when the reward is all past and future traffic. eric -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-)