[3692] in cryptography@c2.net mail archive
RE: Is a serial cable as good as thin air?
daemon@ATHENA.MIT.EDU (David R. Conrad)
Thu Dec 3 15:13:06 1998
Date: Thu, 3 Dec 1998 14:37:56 -0500 (EST)
From: "David R. Conrad" <drc@adni.net>
To: cryptography@c2.net
In-Reply-To: <199812020724.BAA00010@tecaprocorp.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 2 Dec 1998, Dianelos Georgoudis wrote:
> I will include a random delay to invalidate timing attacks.
Timing attacks work by collecting data over a large number of trials.
Over a large number of trials, a random delay approximates the mean delay
and can be subtracted out. (This is a rough description from someone who
has never implemented a timing attack.) Random delays only add a (small)
layer of complexity, and do not invalidate timing attacks.
The right solution is to ensure that all encryptions, decryptions,
signings, or signature verifications take the same amount of time.
(The maximum, worst case time.)
Of course, this applies (as I understand it; see parenthetical disclaimer
above) only to public key operations. It sounds as if you are doing
symmetric encryption and database access, so this may not even be a
concern for you. But if you're using RSA, DSS, Elliptic Curve, or the
like, then it's something you need to think about.
David R. Conrad <drc@adni.net>
"On two occasions I have been asked [by members of Parliament!], `Pray,
Mr. Babbage, if you put into the machine wrong figures, will the right
answers come out?' I am not able rightly to apprehend the kind of
confusion of ideas that could provoke such a question." -- Charles Babbage
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBNmbooIPOYu8Zk+GuEQKthgCfQsOxmFoY68kZgLXwBf3WT/fVJ8EAn0dk
HVyzKBSi1GtuPycaoYmFvb2P
=/ztI
-----END PGP SIGNATURE-----
