[Cryptography] [FORGED] Attackers will always win, and it's getting worse!
Tom Mitchell
mitch at niftyegg.com
Tue Jul 11 20:16:32 EDT 2017
On Tue, Jul 11, 2017 at 5:04 AM, Arnold Reinhold <agr at me.com> wrote:
> On Mon, 10 Jul 2017 04:40 Peter Gutmann wrote:
> Henry Baker <hbaker1 at pipeline.com> writes:
>
> User crypto software (the "attacked") has to run in such a way that:
> a. It produces the correct answer; and
> b. It does NOT LEAK SECRET INFORMATION through side-channels -- e.g.,
> timing/power/etc.
.....
> source and object code? Or maybe just configuration management tools that
> insure compiler optimization levels are never turned on?
Having worked with compiler folk the need to disable optimizatons
in and of itself exposes a design problem in the code.
It ignores that the code can be optimized and an attacker can
attack faster than testing with "safe" side channel free code.
How much faster is important to know!
Constant time can be obtained with a constant time wrapper that
can see a fast real time counter.
Power requires physical access.
Testing mandates testing at all manner and levels of optimization.
Operational security mandates threat model understanding.
If optimizations reduce a large key space to fast and slow keys
key selection is important except the rule for selection is telling
an attacker about the key space itself.
This is important for both hardware and software.
--
T o m M i t c h e l l
More information about the cryptography
mailing list