[12566] in cryptography@c2.net mail archive
RE: [Bodo Moeller ] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
daemon@ATHENA.MIT.EDU (Zully Ramzan)
Sun Feb 23 13:10:38 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Fri, 21 Feb 2003 12:02:57 -0800
From: "Zully Ramzan" <zramzan@ipdynamics.com>
To: "Steven M. Bellovin" <smb@research.att.com>, "EKR" <ekr@rtfm.com>
Cc: <cryptography@wasabisystems.com>
The idea is also similar to timing attacks against very, very
badly-implemented password checking schemes; e.g. where a reply by some
verifying server to a correct guess on the first n characters of a
password takes slightly longer than a reply to a correct guess on only
the initial n-1 characters (because an error is returned as soon as the
first character is encountered). =20
In these cases, the attack is also linear since one character at a time
can be guessed, and the timing of the response provides an indication of
whether or not the guess is correct. =20
I believe we've also seen this type of paradigm in many cryptanalytic
instances wherein a guess for just a portion of a secret key can be
verified, thereby reducing the time for a brute-force search since one
first guesses this portion, and gets it right, before trying to guess
the remainder of the key material. =20
Regards,
Zully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zulfikar Ramzan
IP Dynamics, Inc. http://www.ipdynamics.com
Unfettered, Simple VPNs
=20
> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb@research.att.com]
> Sent: Friday, February 21, 2003 6:17 AM
> To: EKR
> Cc: cryptography@wasabisystems.com
> Subject: Re: [Bodo Moeller <bodo@openssl.org>] OpenSSL Security
Advisory: Timing-
> based attacks on SSL/TLS with CBC encryption
>=20
> I'm struck by the similarity of this attack to Matt Blaze's master key
> paper. In each case, you're guessing at one position at a time, and
> using the response of the security system as an oracle. What's
crucial
> in both cases is the one-at-a-time aspect -- that's what makes the
> attack linear instead of exponential.
>=20
>=20
> --Steve Bellovin, http://www.research.att.com/~smb (me)
> http://www.wilyhacker.com (2nd edition of "Firewalls"
book)
>=20
>=20
>=20
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo@wasabisystems.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
