Timing Cryptanalysis Attack

Johansson Lars ljo at ausys.se
Thu Dec 14 07:38:59 PST 1995




Armadillo Remailer (remailer at armadillo.com) wrote:

>Simon Spero <ses at tipper.oit.unc.edu> writes:
>
>>My gut & scribble-on-the-back-of-a-napkin feeling about this class of
>>attack is that it could be a problem for smartcards (almost certainly)
>
>Is it a problem to create smartcards that do their calculations in
>fixed time? I'd guess it should be easier than on multi-purpose
>hardware.
>
>Does the attack work for existing smartcards?

At first glance, smart cards would seem to be the most critical target
to Kocher's timing attack since they usually operate in on-line
environments.

However, all RSA smart cards I'm aware of stores the result of the
RSA computation (be it decryption, signing or authentication)
internally and it can only be read using a Get_Response command.

Of course this may not be satisfying since the terminal could get a
(noisy) measure of the time by repeatingly use this command to
see when the result is available.

Most smart cards does nevertheless require that the user must first
specify a PIN code before the RSA algorithms are operationable.
This implies that even if the card gets stolen can't it be attacked
with Kocher's method.

/Lars Johansson
ljo at ausys.se







More information about the cypherpunks-legacy mailing list