[17565] in cryptography@c2.net mail archive
Re: Optimisation Considered Harmful
daemon@ATHENA.MIT.EDU (James A. Donald)
Fri Jun 24 13:07:55 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: Cryptography <cryptography@metzdowd.com>
Date: Fri, 24 Jun 2005 09:14:24 -0700
In-reply-to: <42B9F956.20708@algroup.co.uk>
--
On 23 Jun 2005 at 0:50, Ben Laurie wrote:
> A brief altercation this evening with CERT over the
> recent hyperthread caching issues has brought
> something that's been simmering at the back of my
> brain to the forefront.
>
> The recent hyperthread/cache key recovery trick,
> followed by DJB's related (IMO) symmetric key
> recovery, and preceded by the RSA timing attacks
> (Boneh et al?) are all examples of attacks on the same
> thing: optimisation.
>
> The problem is that if different paths through your
> code expose different availability of optimisation,
> then there's a timing attack available. I predict, for
> example, that someone will find a way to attack
> something using pipeline breaks on Pentium
> processors[1].
>
> How do we fix this? Well, its easy to say: we make
> everything equally crap - we make sure that all
> operations are as slow as the slowest possible variant
> can be. However, on a modern processor, this is _very_
> hard to do.
Suppose you have something that is inadvertently an
oracle - it encrypts stuff from many different users
preparatory to sending it out over the internet, and
makes no effort to strongly authenticate a user.
Have it encrypt stuff into a buffer, and on a timer
event, send out the buffer.
Your code is now of course multithreaded - very easy to
get multithreading bugs that never show up during
testing, but non deterministically show up in actual
use.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
fWkmIPqr+sQN9GW27vahB3Bc9ulLdzbGrPKEjXFL
4nPDlKsQgDKH6LEnS3M7ECcBByW0lH5o7CUzo2UYB
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
