Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote RSA Timing Attacks Practical

Posted by CowboyNeal on from the all-in-the-timing dept.

David Brumley and Dan Boneh writes "Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from a OpenSSL-based server such as Apache with mod_SSL and stunnel running on a machine in the local network. Our results demonstrate that timing attacks against widely deployed network servers are practical. Subsequently, software should implement defenses against timing attacks. Our paper can be found at Stanford's Applied Crypto Group."

2 of 223 comments (clear)

  1. Uniform response time. by The+Monster · · Score: 2, Redundant
    Rather than randomly padding the response time, how about running tests to determine the longest time that can be reasonably expected to take for the calculation, then adding some fudge factor to arrive at a set constant.
    Where 'constant' need only be constant for a specific length of message. An implementation that allows different sized-packets to be input would be allowed to use a formula to determine the response time, such that any two packets of the same size would have the same response time
    Set a timer to that constant prior to the calculation to trigger the actual reply at the specified time. That way EVERY transaction takes EXACTLY the same time, and no information is given up. Even the dumbest smart cards should be capable of keeping track of time

    Alternatively, add your random padding to the constant, not to the time required to do the calculation. That has the advantage of giving DISinformation to the attacker. And there is a certain charm to that, don't you think?

    --

    [100% ISO 646 Compliant]
    SVM, ERGO MONSTRO.

  2. Re:In a nutshell... by Xenographic · · Score: 0, Redundant

    You don't want to add randomness; the signal will still be there, just under more noise. You want to remove that signal entirely, by making all these calculations take the same amount of time, no matter what; even if you can short circuit them. If you think about it long enough, you'll realize that we want to remove the information we're sending them--that's much better than hiding it :]