[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

[John Kelsey]

At 12:02 PM 2/21/03 -0800, Zully Ramzan wrote:
...
>I believe we've also seen this type of paradigm in many cryptanalytic
>instances wherein a guess for just a portion of a secret key can be
>verified, thereby reducing the time for a brute-force search since one
>first guesses this portion, and gets it right, before trying to guess
>the remainder of the key material.

Yep.  The thing that I found fun about this attack was that it so 
completely sidesteps the protections of the crypto.  If you think about it, 
the whole concept of the attack is to force the recipient's execution path 
to react without the benefit of a cryptographic check on its actions.

This attack made me think of the attack on SSH-encrypted passwords using 
timing / keystroke analysis.  Again, a clever way to do an end-run around 
the crypto.

If you think about compression before encryption in this context, you could 
imagine someone actually causing a software crash (or even a buffer 
overrun, though not one they could control very well) by altering the 
ciphertext, and thus giving the decompressor routines a bunch of random 
bits to deal with.  (I mentioned the possibility of using this sort of 
thing in an attack in my compression side channel paper at FSE last year, 
but I certainly didn't have this kind of clever attack in mind!)

>Regards,
>Zully

--John Kelsey, kelsey.j at ix.netcom.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com