Remote RSA Timing Attacks Practical

David Brumley and Dan Boneh writes "Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from a OpenSSL-based server such as Apache with mod_SSL and stunnel running on a machine in the local network. Our results demonstrate that timing attacks against widely deployed network servers are practical. Subsequently, software should implement defenses against timing attacks. Our paper can be found at Stanford's Applied Crypto Group."

Re:In a nutshell...

[Lux]

I'm pretty sure you're trolling, but I'll bite...

Your elitism has been commented on thoroughly, so I'll skip to the meat. :)

It takes 1.5 million queries to break an SSL key using this technique if you have an account on the same machine. That's for a local attack.

They go on to give evidence that a remote attack is possible, but don't actually give parameters that would indicate the complexity of the attack. 1.5 million queries is already kind of pushing it though, and I would imagine taking the attack to the remote setting, even with a small round trip, will explode the complexity significantly. So the attack may not be feasible at all.

Furthermore, adding random variance to latency data doesn't theoretically help much. Get enough samples, and that noise drops out. It raises the number of queries, yes, but doesn't stop the latency from forming a statistically usable distribution.

-Lux