[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Paul Kocher's timing attack
Bill Simpson says, regarding Kocher's timing attack:
This will be fixed in Photuris by dithering the return time of the
Identification_Message. A few extra milliseconds on top of a second
won't be a problem. ...
This helps to reduce the leakage of key information, but does not
eliminate it. The best thing to do is to ensure that the public-key
computation time is CONSTANT, independent of the message being encrypted
(or signed).
I don't think the Photuris specs should specify dithering, since it a good
implementation will have fixed (i.e. constant) timings for the cryptographic
operations. The Photuris specs should mention this issue and recommend that
the implementations should have fixed-time operations to avoid vulnerability
to Kocher's timing attack.
(As a side note, I suspect that this sort of attack is probably extremely
difficult to mount in an Internet environment, due to packet-routing
timing variabilities. However, it's wise to be careful...)
Ron Rivest
Follow-Ups: