> Frank rites:
> >From the description, it sounds like all you need some "better than
> >random guess" at how long en/decryption takes. And that's certainly
> >possible without physical access. For example, if you view a
> >remote server as an en/decrypting 'black box' (among other things)
> >then you can give it work to do, and observe the response time.
> Can see how that might be possible at the keyboard. Might be possible on
> a remote terminal with a direct connection. Cannot see how it would work
> on a packet based network (having enough trouble with a std deviation of
> 188 usec against an average difference of 17 usec.), just too many random
> factors involved.
True--but NTP and such manage to overcome similar obstacles.
It's certainly not obvious how it would be done, but I wouldn't
write it off as impossible just yet.
re: Timing Attacks
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT @