[Cryptography] cheap sources of entropy

[ianG]

On 2/02/14 07:27 AM, Jerry Leichter wrote:
> On Feb 1, 2014, at 4:58 PM, James A. Donald wrote:
>> On 2014-02-02 06:38, Bill Stewart wrote:
>>> Definitely not.  If you're on a VM, you have 0..n virtual disk drives, which the hypervisor simulates from a datastore pool and maybe some cache.
>>
>> Underneath all that are real material disk drives, which have turbulence.  The turbulence causes random and entirely unpredictable timing variations, which unpredictability and variation propagate all the way to the VM
> No, Bill Stewart is right.  There are multiple layers of software with all kinds of buffering, queuing, operations that are kicked off by clocks at fairly long intervals (way longer than the timing variations seen in disk responses), in between.  It's highly unlikely that any low-level variation in disk response times will be visible by the time you reach the guest OS.


I agree in principle.  But what strikes me is as odd is that this is a
similar argument to that used to justify side-channel timing analysis of
server keys.

I cannot fathom how we can see through the complexity of modern server
software and internet connections to analyse public key
signing/encryption to extract out the private key.

Yet it's been done.  Maybe this is just one of those things where we can
extract enough information if we do it in the lab, and control the
environment closely (set up the HTTPD to be the only service running,
nothing else allowed on the network, one hop only...).


...
> Now, you could if you wanted just say, well, if it's too complicated to analyze, it's too complicated to attack.  *You* could.


I think, in a busy world, there are more important things to think
about.  We have to be careful to optimise our limited time to deal with
threats that are real, and not ones that make our geekly spines tingle.



iang