[Cryptography] [FORGED] Attackers will always win, and it's getting worse!
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Jul 10 00:40:03 EDT 2017
Henry Baker <hbaker1 at pipeline.com> writes:
>User crypto software (the "attacked") has to run in such a way that:
>a. It produces the correct answer; and
>b. It does NOT LEAK SECRET INFORMATION through side-channels -- e.g.,
> timing/power/etc.
However, in virtually all situations a >>> b. In fact, in most cases you
can safely ignore b, because such an attack is impossible/impractical/too
expensive/far easier attacks exist/etc.
In addition, even where b is a concern, it's often far easier to do the
crypto in whatever way is the most efficient and then deal with side-
channels through shielding, power supply decoupling, etc.
OTOH you really do need to worry about a. Look at the number of 0days and
other subversion mechanisms used by TLAs that have leaked in the last couple
of years. Making sure your code has no holes in it is a far more serious
issue than side channels.
>Any thoughts on how to better engineer side-channel-secure systems?
That's asking the wrong question. Well, unless it's a gedanken-experiment
style question to see what people will come up with. The real question is,
which attack vectors are being exploited the most, and how do we deal with
those?
Incidentally, we already know how to make secure systems that are pretty
side-channel-attack resistant. There's a twenty-year-old HSM, IBM's 4758,
that was resistant to pretty much all of the side-channel attacks that came
along after it was developed, not because the developers were magically
aware of them but because they used good engineering practice, power supply
decoupling, filtering, etc.
The 4758 was attacked by the Cambridge folks, not via any side channels but
through a basic software flaw in the CCA firmware. You don't need to bother
with b when a will always get you in.
Peter.
More information about the cryptography
mailing list