diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2006-03-21 16:20:59 +0000 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2006-03-21 16:20:59 +0000 |
| commit | f7caf6f5c640cb1756c01184898f176438a3a0c2 (patch) | |
| tree | 4d32de11b18d5f6296207961b5f25d0949af80c0 /libtomcrypt/notes/tech0002.txt | |
| parent | e444f0cfe67c71d3f38854f27cefae9aea6c4cd9 (diff) | |
| parent | 3f49fc5f2ca0ec4adb5cac081f502cbb86702efa (diff) | |
propagate from branch 'au.asn.ucc.matt.dropbear' (head 0501e6f661b5415eb76f3b312d183c3adfbfb712)
to branch 'au.asn.ucc.matt.dropbear.cli-agent' (head 01038174ec27245b51bd43a66c01ad930880f67b)
--HG--
branch : agent-client
extra : convert_revision : 12b2f59db65e7339d340e95ac67d6d9ddb193c2b
Diffstat (limited to 'libtomcrypt/notes/tech0002.txt')
| -rw-r--r-- | libtomcrypt/notes/tech0002.txt | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/libtomcrypt/notes/tech0002.txt b/libtomcrypt/notes/tech0002.txt new file mode 100644 index 0000000..b9990e0 --- /dev/null +++ b/libtomcrypt/notes/tech0002.txt @@ -0,0 +1,52 @@ +Tech Note 0002 +How to avoid non-intrusive timing attacks with online computations +Tom St Denis + +Introduction +------------ + +A timing attack is when an attacker can observe a side channel of the device (in this case time). In this tech note +we consider only non-intrusive timing attacks with respect to online computations. That is an attacker can +determine when a computation (such as a public key encryption) begins and ends but cannot observe the device +directly. This is specifically important for applications which transmit data via a public network. + +Consider a Diffie-Hellman encryption which requires the sender to make up a public key "y = g^x mod p". Libtomcrypt +uses the MPI bignum library to perform the operation. The time it takes to compute y is controlled by the number +of 1 bits in the exponent 'x'. To a large extent there will be the same number of squaring operations. "1" bits in +the exponent require the sender to perform a multiplication. This means to a certain extent an attacker can +determine not only the magnitude of 'x' but the number of one bits. With this information the attacker cannot directly +learn the key used. However, good cryptography mandates the close scrutiny of any practical side channel. + +Similar logic applies to the other various routines. Fortunately for this case there is a simple solution. First, +determine the maximum time the particular operation can require. For instance, on an Athlon 1.53Ghz XP processor a +DH-768 encryption requires roughly 50 milliseconds. Take that time and round it up. Now place a delay after the call. + +For example, + +void demo(void) { + clock_t t1; + + // get initial clock + t1 = clock(); + + // some PK function + + // now delay + while (clock() < (t1 + 100)); + + // transmit data... + +} + +This code has the effect of taking at least 100 ms always. In effect someone analyzing the traffic will see that the +operations always take a fixed amount of time. Since no two platforms are the same this type of fix has not been +incorporated into libtomcrypt (nor is it desired for many platforms). This requires on the developers part to profile +the code to determine the delays required. + +Note that this "quick" fix has no effect against an intrusive attacker. For example, power consumption will drop +significantly in the loop after the operation. However, this type of fix is more important to secure the user of the +application/device. For example, a user placing an order online won't try to cheat themselves by cracking open their +device and performing side-channel cryptanalysis. An attacker over a network might try to use the timing information +against the user. + + |