[Cryptography] BBC to deploy detection vans to snoop on internet users

[Kristian Gjøsteen]

9. aug. 2016 kl. 00.29 skrev Jerry Leichter <leichter at lrw.com>:
> We define security for ciphers algorithms, and often for modes and even protocols, in a way that completely ignores leakage of message length and timing - assuming that it doesn't really matter very much (if you use a block cipher the length is only know mod 16 or maybe somewhat more, who cares) or, in the case of timing, that this is simply outside the domain of analysis.

No, cryptologists do not assume that it doesn’t really matter very much.

Cryptologists know very well that these issues can be very important for applications. What cryptologists also know is that crypto primitives usually cannot deal effectively with these issues, since crypto primitives must support many different application requirements.

This is obvious for application timing attacks. (There’s timing attacks on the primitives themselves, where the designer can contribute, of course, but that is different from application timing attacks.)

For things like message length, you could in theory mitigate the problem by padding everything to multiples of 512 bytes (or 1024, or 2048, or 31415, or …), but this is inefficient, since the crypto primitive designer does not in advance know the application requirements, and for any mitigation, probably I can come up with an application where that mitigation fails.

Yes, we have to deal with these things. But there’s a limit to what crypto primitives can do. Cryptologists are usually very explicit about what those limits are. Information security people and application designers may need to be better aware of these limits, of course.

-- 
Kristian Gjøsteen