CERIAS Weblogs » Yet another timing attack

Prof. Eugene Spafford

Eugene H. Spafford is one of the most senior and recognized leaders in the field of computing. He has an on-going record of accomplishment as an advisor and consultant on issues of security, cybercrime and policy to a number of major companies, law enforcement organizations, and government agencies, including Microsoft, Intel, Unisys, the US Air Force, the National Security Agency, the Federal Bureau of Investigation, the Department of Energy, and two Presidents of the United States. At Purdue, Spaf (as he is generally known) is a professor of Computer Sciences, a professor of Electrical and Computer Engineering (courtesy), a professor of Philosophy (courtesy), a professor of Communication (courtesy), and Executive Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS).

Homepage»

Author XML Feeds

Search

November 19th, 2006 by Spaf in General

There is a history of researchers finding differential attacks against cryptography algorithms. Timing and power attacks are two of the most commonly used, and they go back a very long time. One of the older, “classic” examples in computing was the old Tenex password-on-a-page boundary attack. Many accounts of this can be found various places online such as here and here (page 25). These are varieties of an attack known as side-channel attacks — they don’t attack the underlying algorithm but rather take advantage of some side-effect of the implementation to get the key. A search of the WWW finds lots of pages describing these.

So, it isn’t necessarily a surprise to see a news report of a new such timing attack. However, the article doesn’t really give much detail, nor does it necessarily make complete sense. Putting branch prediction into chips is something that has been done for more than twenty years (at least), and results in a significant speed increase when done correctly. It requires some care in cache design and corresponding compiler construction, but the overall benefit is significant. The majority of code run on these chips has nothing to do with cryptography, so it isn’t a case of “Security has been sacrificed for the benefit of performance,” as Seifert is quoted as saying. Rather, the problem is more that the underlying manipulation of cache and branch prediction is invisible to the software and programmer. Thus, there is no way to shut off those features or create adequate masking alternatives. Of course, too many people who are writing security-critical software don’t understand the mapping of code to the underlying hardware so they might not shut off the prediction features even if they had a means to do so.

We’ll undoubtedly hear more details of the attack next year, when the researchers disclose what they have found. However, this story should serve to simply reinforce two basic concepts of security: (1) strong encryption does not guarantee strong security; and (2) security architects need to understand — and have some control of — the implementation, from high level code to low level hardware. Security is not collecting a bunch of point solutions together in a box…it is an engineering task that requires a system-oriented approach.
[posted with ecto]