[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Paul Kocher's timing attack

To: ipsec@ans.net
Subject: Paul Kocher's timing attack
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Mon, 11 Dec 95 13:29:32 EST


Bill Simpson says, regarding Kocher's timing attack:

	This will be fixed in Photuris by dithering the return time of the
	Identification_Message.  A few extra milliseconds on top of a second
	won't be a problem.  ...

This helps to reduce the leakage of key information, but does not 
eliminate it.  The best thing to do is to ensure that the public-key
computation time is CONSTANT, independent of the message being encrypted
(or signed).  

I don't think the Photuris specs should specify dithering, since it a good
implementation will have fixed (i.e. constant) timings for the cryptographic
operations.  The Photuris specs should mention this issue and recommend that
the implementations should have fixed-time operations to avoid vulnerability
to Kocher's timing attack.

(As a side note, I suspect that this sort of attack is probably extremely
difficult to mount in an Internet environment, due to packet-routing
timing variabilities.  However, it's wise to be careful...)

	Ron Rivest

Follow-Ups:

Re: Paul Kocher's timing attack

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: Matt Blaze: Paul Kocher's timing attack
Next by Date: Re: Matt Blaze: Paul Kocher's timing attack
Prev by thread: Photuris meeting discussions
Next by thread: Re: Paul Kocher's timing attack
Index(es):
- Main
- Thread