Optimisation Considered Harmful
James A. Donald
jamesd at echeque.com
Sat Jun 25 13:27:16 EDT 2005
--
James A. Donald:
> > Suppose you have something that is inadvertently an
> > oracle - it encrypts stuff from many different users
> > preparatory to sending it out over the internet, and
> > makes no effort to strongly authenticate a user.
> >
> > Have it encrypt stuff into a buffer, and on a timer
> > event, send out the buffer.
> >
> > Your code is now of course multithreaded - very easy
> > to get multithreading bugs that never show up during
> > testing, but non deterministically show up in actual
> > use.
On 24 Jun 2005 at 12:25, Dan Kaminsky wrote:
> The problem is with edges:
>
> Now, suppose your timer goes off every 200ms. No
> problem, right?
>
> At time=190ms, you force an encryption. If it's done
> by the time=200ms deadline, you know.
It should have been needless to say, that at the end of
each time frame, the oracle only starts sending out
stuff encrypted in response to data received at least n
time frames previously, where n is a small positive
number, possibly one.
A time frame is longer than the difference between the
quickest and slowest encryption of a block. n time
frames is longer than the slowest encryption of a block.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
JdXC3IuQNnYvM2SrAOIY2iLJyhKf21IR191yeebK
4FIl5EvQ0dseZCj2m2/NsQANv7tID98AAQ+pJMARn
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list