Re: Timing Cryptanalysis Attack
"Perry E. Metzger" <perry@piermont.com> writes:
Timings like the ones listed are trivial to take in establishing things like SSL sessions, or Photuris sessions. The danger is to online protocols, not to PGP.
This must be a new and interesting definition of the word "trivial" with which I was previously unfamiliar. Quite frankly, I would be extremely surprised if anyone mounted a successful hostile attack against a server's RSA certificate using timings of remotely initiated SSL sessions outside of a controlled laboratory environment. "Timing Cryptanalysis" is one of those really cute "obvious with 20-20 hindsight" discoveries, but not one which is likely to be reliably employed by an opponent except under very carefully controlled circumstances. Peter Trei and others have already outlined excellent reasons for such skepticism, so I won't bother rehashing them here.
Any reason you felt you had to say this anonymously?
Yes. I wanted to try the nifty WWW-based remailer at http://www.replay.com/remailer/anon.html. Also, it's nice to have a pseudo-anonymous identity now that government regulation of the Net is looming on the horizon. Feel free to compare my writing style, margins, and quote string with other posts on the list in order to determine my likely "real life" identity. -Bourbaki 137
On Tue, 12 Dec 1995, Anonymous wrote:
Timings like the ones listed are trivial to take in establishing things like SSL sessions, or Photuris sessions. The danger is to online protocols, not to PGP. This must be a new and interesting definition of the word "trivial" with which I was previously unfamiliar.
Quite frankly, I would be extremely surprised if anyone mounted a successful hostile attack against a server's RSA certificate using timings of remotely initiated SSL sessions outside of a controlled laboratory environment.
Well lets put it this way, people have hacked machines through firewalls via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU time, are you saying that perhaps being able to break a fixed Diffie-Hellman key on a central router/computer would not be worth trying. Remember, if you broke this key, and had recorded the last 6 months worth of traffic, you can now decode all of this traffic. Once you have that secret key and those packet logs, the decoding is a trivial and mechanical process (trust me on this one). One of the major advantages of choosing a new secret key per HD negotiation is that you loose this capacity to decrypt previous and future sessions. When we talk about taking 100s of years to factor large primes, a system that may work after a month or 2 of collecting data and statistics is definatly an easier proposition, especially when the reward is all past and future traffic. eric -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-)
Anonymous writes:
"Perry E. Metzger" <perry@piermont.com> writes:
Timings like the ones listed are trivial to take in establishing things like SSL sessions, or Photuris sessions. The danger is to online protocols, not to PGP.
This must be a new and interesting definition of the word "trivial" with which I was previously unfamiliar.
Quite frankly, I would be extremely surprised if anyone mounted a successful hostile attack against a server's RSA certificate using timings of remotely initiated SSL sessions outside of a controlled laboratory environment.
Go ahead and trust that no one can do it, then. Considering that NTP can synch up clocks over the net with astonishing accuracy with multiple probes, it would be hard to believe that you couldn't similarly dramatically reduce the effects of network delays for the purposes of mounting an attack on an RSA key, too. However, if you don't believe it is possible, why, go ahead and ignore it. Not my problem what you do. Perry
On Tue, 12 Dec 1995, Perry E. Metzger wrote:
Go ahead and trust that no one can do it, then. Considering that NTP can synch up clocks over the net with astonishing accuracy with multiple probes, it would be hard to believe that you couldn't
Perry - I don't think NTP goes down to the sort of resolution that appeared to be where the signal is here, and for quantisation reasons, I don't think it can work over a public routed internetwork. I'm still open to having my mind changed here; my network weenie gut instincts tell me that routing is too non-random for the signal to propogate. [I may have misread the paper, but the accuracy required seemed to be on the order of 10-100 usecs; if I've got that wrong, could someone mail me an OOM to be working with] Simon
Simon Spero writes:
Perry - I don't think NTP goes down to the sort of resolution that appeared to be where the signal is here, and for quantisation reasons, I don't think it can work over a public routed internetwork.
The question isn't whether you can really get the timing down as far as you want, but whether you can use statistics to cut down your search space sufficiently to make things interesting. I can't say, but I'm no longer prepared to trust the stuff, being fairly conservative in what I trust. Perry
participants (4)
-
anon-remailer@utopia.hacktic.nl -
Eric Young -
Perry E. Metzger -
Simon Spero