[45217] in Cypherpunks
Re: Timing Cryptanalysis Attack
daemon@ATHENA.MIT.EDU (Eric Young)
Tue Dec 12 00:09:47 1995
Date: Tue, 12 Dec 1995 14:25:36 +1000 (EST)
From: Eric Young <eay@mincom.oz.au>
To: Anonymous <anon-remailer@utopia.hacktic.nl>
Cc: cypherpunks@toad.com
In-Reply-To: <199512120058.BAA25991@utopia.hacktic.nl>
On Tue, 12 Dec 1995, Anonymous wrote:
> > Timings like the ones listed are trivial to take in
> > establishing things like SSL sessions, or Photuris sessions.
> > The danger is to online protocols, not to PGP.
> This must be a new and interesting definition of the word
> "trivial" with which I was previously unfamiliar.
>
> Quite frankly, I would be extremely surprised if anyone mounted a
> successful hostile attack against a server's RSA certificate
> using timings of remotely initiated SSL sessions outside of a
> controlled laboratory environment.
Well lets put it this way, people have hacked machines through firewalls
via IP spoofing, broken a single SSL RC4-40 bit session after weeks of CPU
time, are you saying that perhaps being able to break a fixed
Diffie-Hellman key on a central router/computer would not be worth trying.
Remember, if you broke this key, and had recorded the last 6 months worth
of traffic, you can now decode all of this traffic. Once you have that
secret key and those packet logs, the decoding is a trivial and mechanical
process (trust me on this one). One of the major advantages of choosing a
new secret key per HD negotiation is that you loose this capacity to
decrypt previous and future sessions. When we talk about taking 100s of
years to factor large primes, a system that may work after a month or 2 of
collecting data and statistics is definatly an easier proposition,
especially when the reward is all past and future traffic.
eric
--
Eric Young | Signature removed since it was generating
AARNet: eay@mincom.oz.au | more followups than the message contents :-)
