[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
Zully Ramzan
zramzan at ipdynamics.com
Fri Feb 21 15:02:57 EST 2003
The idea is also similar to timing attacks against very, very
badly-implemented password checking schemes; e.g. where a reply by some
verifying server to a correct guess on the first n characters of a
password takes slightly longer than a reply to a correct guess on only
the initial n-1 characters (because an error is returned as soon as the
first character is encountered).
In these cases, the attack is also linear since one character at a time
can be guessed, and the timing of the response provides an indication of
whether or not the guess is correct.
I believe we've also seen this type of paradigm in many cryptanalytic
instances wherein a guess for just a portion of a secret key can be
verified, thereby reducing the time for a brute-force search since one
first guesses this portion, and gets it right, before trying to guess
the remainder of the key material.
Regards,
Zully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zulfikar Ramzan
IP Dynamics, Inc. http://www.ipdynamics.com
Unfettered, Simple VPNs
> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb at research.att.com]
> Sent: Friday, February 21, 2003 6:17 AM
> To: EKR
> Cc: cryptography at wasabisystems.com
> Subject: Re: [Bodo Moeller <bodo at openssl.org>] OpenSSL Security
Advisory: Timing-
> based attacks on SSL/TLS with CBC encryption
>
> I'm struck by the similarity of this attack to Matt Blaze's master key
> paper. In each case, you're guessing at one position at a time, and
> using the response of the security system as an oracle. What's
crucial
> in both cases is the one-at-a-time aspect -- that's what makes the
> attack linear instead of exponential.
>
>
> --Steve Bellovin, http://www.research.att.com/~smb (me)
> http://www.wilyhacker.com (2nd edition of "Firewalls"
book)
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list