Fun_People Archive
11 Dec
Trouble in River City


Date: Mon, 11 Dec 95 13:50:37 -0800
From: Peter Langston <psl>
To: Fun_People
Subject: Trouble in River City

Forwarded-by: bostic@bsdi.com (Keith Bostic)
From: jim@SmallWorks.COM (Jim Thompson)

"Encryption Flaw Rattles Comuter Security Industry"

SAN FRANCISCO - The discovery of a vulvnerability has shaken the computer
world's faith in the safe use of the data-security technologies on which
most current and planned electronic banking, shopping and "digital cash"
systems are based.

The vulnerability has been found in a class of technologies known as
public-key encryption - designed to provide electronic transactions by
scrambling data so they can be read only by people with the proper
mathematical keys to the code.

The flaw was identified by Paul C. Kocher, a 22-year-old researcher, who
demonstrated a way that an electronic eavesdropper who is able to monitor
the repeated process of unscrambling the incoming messages could figure
out the private key.  It can be done by repeatedly keeping track of the
precise length of time it takes to unscramble each message.

-- From TimesFax, Mon. Dec. 11 Internet Edition

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: pck@netcom.com (Paul C. Kocher)
Subject: Announce: Timing cryptanalysis of RSA, DH, DSS

I've just released details of an attack many of you will find interesting
since quite a few existing cryptography products and systems are
potentially at risk.  The general idea of the attack is that secret keys
can be found by measuring the amount of time used to to process messages.
The paper describes attacks against RSA, fixed- exponent Diffie-Hellman,
and DSS, and the techniques can work with many other systems as well.

My research on the subject is still in progress and the current paper does
not include many of my findings.  I will eventually publish a full paper,
but am releasing a preliminary draft now to alert the community as quickly
as possible.  A copy of the abstract is attached at the end of this
message and the full text can be downloaded in PostScript format from:

  ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps
  ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz

I've also made an HTML version which is accessible at:

  http://www.cryptography.com

(The HTML uses subscripts and superscripts which aren't supported in older
web browsers.  The PostScript version is the "official" one and looks
nicer.)

The results have already been seen by Matt Blaze, Martin Hellman, Ron
Rivest, Bruce Schneier, and many others.  While the full significance of
the attack is not yet known, I think everyone who has seen it considers
it important (including Netscape who awarded me a $1000 bugs bounty
prize).


    ABSTRACT.  Cryptosystems often take slightly different amounts of time
    to process different messages. With network- based cryptosystems,
    cryptographic tokens, and many other applications, attackers can
    measure the amount of time used to complete cryptographic operations.
    This abstract shows that timing channels can, and often do, leak key
    material.  The attacks are particularly alarming because they often
    require only known ciphertext, work even if timing measurements are
    somewhat inaccurate, are computationally easy, and are difficult to
    detect.  This preliminary draft outlines attacks that can find secret
    exponents in Diffie- Hellman key exchange, factor RSA keys, and find
    DSS secret parameters.  Other symmetric and asymmetric cryptographic
    functions are also at risk. A complete description of the attack will
    be presented in a full paper, to be released later. I conclude by
    noting that closing timing channels is often more difficult than might
    be expected.


Cheers,
Paul Kocher

*********************************************************************
VERY IMPORTANT: If you send me e-mail, please understand that I
probably won't have time to respond to all who write.  Please keep
messages SHORT and send them to pck@cryptography.com (**not** my
netcom address -- misdirected messages will be ignored).  PGP when
used for e-mail is not vulnerable to the attack.  Please state in
your note whether you would like a reply.
********************************************************************

Paul C. Kocher           Independent cryptography/data security consultant
E-mail: pck@cryptography.com (please see above before replying)


[=] © 1995 Peter Langston []