Interesting People mailing list archives
IP: Timing cryptanalysis of RSA, DH, DSS
From: Dave Farber <farber () central cis upenn edu>
Date: Mon, 11 Dec 1995 01:31:02 -0500
Date: Sun, 10 Dec 1995 21:48:19 -0800 From: pck () netcom com (Paul C. Kocher) I've just released details of an attack many of you will find interesting since quite a few existing cryptography products and systems are potentially at risk. The general idea of the attack is that secret keys can be found by measuring the amount of time used to to process messages. The paper describes attacks against RSA, fixed- exponent Diffie-Hellman, and DSS, and the techniques can work with many other systems as well. My research on the subject is still in progress and the current paper does not include many of my findings. I will eventually publish a full paper, but am releasing a preliminary draft now to alert the community as quickly as possible. A copy of the abstract is attached at the end of this message and the full text can be downloaded in PostScript format from: ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz I've also made an HTML version which is accessible at: http://www.cryptography.com (The HTML uses subscripts and superscripts which aren't supported in older web browsers. The PostScript version is the "official" one and looks nicer.) The results have already been seen by Matt Blaze, Martin Hellman, Ron Rivest, Bruce Schneier, and many others. While the full significance of the attack is not yet known, I think everyone who has seen it considers it important (including Netscape who awarded me a $1000 bugs bounty prize). ABSTRACT. Cryptosystems often take slightly different amounts of time to process different messages. With network- based cryptosystems, cryptographic tokens, and many other applications, attackers can measure the amount of time used to complete cryptographic operations. This abstract shows that timing channels can, and often do, leak key material. The attacks are particularly alarming because they often require only known ciphertext, work even if timing measurements are somewhat inaccurate, are computationally easy, and are difficult to detect. This preliminary draft outlines attacks that can find secret exponents in Diffie- Hellman key exchange, factor RSA keys, and find DSS secret parameters. Other symmetric and asymmetric cryptographic functions are also at risk. A complete description of the attack will be presented in a full paper, to be released later. I conclude by noting that closing timing channels is often more difficult than might be expected. Cheers, Paul Kocher ********************************************************************* VERY IMPORTANT: If you send me e-mail, please understand that I probably won't have time to respond to all who write. Please keep messages SHORT and send them to pck () cryptography com (**not** my netcom address -- misdirected messages will be ignored). PGP when used for e-mail is not vulnerable to the attack. Please state in your note whether you would like a reply. ******************************************************************** __________________________________________________________________________ Paul C. Kocher Independent cryptography/data security consultant E-mail: pck () cryptography com (please see above before replying)
Current thread:
- IP: Timing cryptanalysis of RSA, DH, DSS Dave Farber (Dec 10)