Timing Cryptanalysis Attack
Dr. Frederick B. Cohen
fc at all.net
Tue Dec 12 10:06:25 PST 1995
> Jim Gillogly wrote:
>
> | > Nathaniel Borenstein <nsb at nsb.fv.com> writes:
> | > Hey, don't go for constant time, that's too hard to get perfect. Add a
> | > *random* delay. This particular crypto-flaw is pretty easy to fix.
> | > (See, I'm not *always* arguing the downside of cryptography!)
>
> Does the delay have to be random, or does the total time for a
> transacation need to be unrelated to the bits in the secret key?
> Assume that the time added is pseudo-random (and confidential).
> Further, for any non-overlapping group of N transactions, the
> distribution of the times fits some predetermined curve, say a bell
> curve.
Random time won't save you - it just increases the noise, thus reducing
the effective bandwidth of the covert channel. To get the time, I only
need to do enough repetitions of the same computation to eliminate the
effect of the randomness and I have the same resulting information about
the key.
The only way to completely remove covert channels is by making the
measurable time completely independent of the actual time.
One way with the RSA might be to do the encryption with the key and the
inverse of the key (hence all 0s become 1s and 1s become 0s).
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
More information about the cypherpunks-legacy
mailing list