Timing Attacks

[Bill Stewart]

At 02:15 PM 12/11/95 -0500, "Rev. Ben" <samman-ben at CS.YALE.EDU> wrote:
>I'm not so sure I see the great usefulness of this attack.
>
>I've taken a cursory glance at Mr. Kocher's paper on-line and what it 
>comes down to essentially, if I undestand it correctly, is that you need 
>to be as sure of the timing as you can be.
>
>Now, on a distributed system, you can't measure those timings, because 
>any latency  could come from the originating computer, the links in the 
>middle or any combination of them.
...
>Am I missing something, or does this attack only work in a lab?

It works much better in relatively controlled environments -
smart cards, for example, are usually both slow and not busy doing 
other things, plus you can get a bunch of them and analyze the 
variance in performance across cards.  The Usual Suspects say this
does appear to affect Fortezza, plus things like digital wallets
are obvious targets.  If you're clever, you can design smart-card readers
that do the measurements for you, and convince people to use them.

The attack also works better if you can try it multiple times with the same 
numbers to work around random latency; the lowest number is closest to real.
Running on time-shared machines increases randomness a lot (though if the
Bad Guys have an account there, they can watch the machine's performance
more closely.)  On the other hand, running on shared machines has
its own set of security risks, though they're better places for Diffie-Hellman
systems than secret keys - but Diffie-Hellman needs authentication to be
safe against MITM, and therefore there's still a secret key for that.

Interesting times....  We've all been discussing whether there'd be some
major theoretical-mathematics breakthrough, and along comes an engineering
attack.
#--
#				Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281