diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2007-01-11 03:14:55 +0000 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2007-01-11 03:14:55 +0000 |
| commit | 9d5ed350a749368c84254c11e7616ce3c891193a (patch) | |
| tree | 6dacbff2e9f5c60a1568382db55c72dd6d2ce925 /libtomcrypt/notes/tech0002.txt | |
| parent | ca52f070aecf91e75f6ae6c87d4ae1a2189ccb14 (diff) | |
| parent | 5ea605d8de5b4438deb4fa86c5231710dd09f934 (diff) | |
propagate from branch 'au.asn.ucc.matt.ltm.dropbear' (head 2af95f00ebd5bb7a28b3817db1218442c935388e)
to branch 'au.asn.ucc.matt.dropbear' (head ecd779509ef23a8cdf64888904fc9b31d78aa933)
--HG--
extra : convert_revision : d26d5eb2837f46b56a33fb0e7573aa0201abd4d5
Diffstat (limited to 'libtomcrypt/notes/tech0002.txt')
| -rw-r--r-- | libtomcrypt/notes/tech0002.txt | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/libtomcrypt/notes/tech0002.txt b/libtomcrypt/notes/tech0002.txt new file mode 100644 index 0000000..b9990e0 --- /dev/null +++ b/libtomcrypt/notes/tech0002.txt @@ -0,0 +1,52 @@ +Tech Note 0002 +How to avoid non-intrusive timing attacks with online computations +Tom St Denis + +Introduction +------------ + +A timing attack is when an attacker can observe a side channel of the device (in this case time). In this tech note +we consider only non-intrusive timing attacks with respect to online computations. That is an attacker can +determine when a computation (such as a public key encryption) begins and ends but cannot observe the device +directly. This is specifically important for applications which transmit data via a public network. + +Consider a Diffie-Hellman encryption which requires the sender to make up a public key "y = g^x mod p". Libtomcrypt +uses the MPI bignum library to perform the operation. The time it takes to compute y is controlled by the number +of 1 bits in the exponent 'x'. To a large extent there will be the same number of squaring operations. "1" bits in +the exponent require the sender to perform a multiplication. This means to a certain extent an attacker can +determine not only the magnitude of 'x' but the number of one bits. With this information the attacker cannot directly +learn the key used. However, good cryptography mandates the close scrutiny of any practical side channel. + +Similar logic applies to the other various routines. Fortunately for this case there is a simple solution. First, +determine the maximum time the particular operation can require. For instance, on an Athlon 1.53Ghz XP processor a +DH-768 encryption requires roughly 50 milliseconds. Take that time and round it up. Now place a delay after the call. + +For example, + +void demo(void) { + clock_t t1; + + // get initial clock + t1 = clock(); + + // some PK function + + // now delay + while (clock() < (t1 + 100)); + + // transmit data... + +} + +This code has the effect of taking at least 100 ms always. In effect someone analyzing the traffic will see that the +operations always take a fixed amount of time. Since no two platforms are the same this type of fix has not been +incorporated into libtomcrypt (nor is it desired for many platforms). This requires on the developers part to profile +the code to determine the delays required. + +Note that this "quick" fix has no effect against an intrusive attacker. For example, power consumption will drop +significantly in the loop after the operation. However, this type of fix is more important to secure the user of the +application/device. For example, a user placing an order online won't try to cheat themselves by cracking open their +device and performing side-channel cryptanalysis. An attacker over a network might try to use the timing information +against the user. + + |