Ping Huang writes:
>Your response seems to indicate that you did not in fact carefully
>read my entire message.
The knife cuts both ways. My point is that I view it as more likely that
space aliens will beat me with a rubber hose to extract my keys than
someone will recover my keys via this method of attack, which is easily
defended against.
-Mike
>As an extreme example, suppose the WorstCaseTime function always
>returns one year for any RSA key length less than 2048 bits. That
>time is almost certainly a valid upper bound to the real worst case
>time. If the calculated worst case time is inaccurate in that it is
>considerably larger than the real worst case time, that inaccuracy is
>bad because it add unnecessary latency from the legitimate user's
>point of view; however, this is a separate issue from whether the
>security is weakened. (Obviously, a one year latency is unacceptable
>in practice, but I exaggerate to make a point.)
>
>You assert that it matters that I may not be able to calculate the
>worst case time to some "required" resolution. This assertion implies
>that there exists some sort of "required" resolution, and I'd like to
>hear what criteria you use to determine if some arbitrary resolution
>is "good enough". I don't see how *THIS INFORMATION* would help you
>in attempting to factor out the dead time. Granted, an attacker could
>use repeated runs to factor out fluctuations and figure out what the
>WorstCaseTime function returns for the key lengths of interest; what
>does this really buy tge attacker? I believe it buys nothing; if you
>present a scenario where this information is of assistance, I would
>gladly stand corrected. (I'm not saying an attacker can't attempt to
>factor out the dead time even if the software takes the precautions I
>suggested, i.e., spin wait performing similar calculations rather than
>sleep. Rather, I'm specifically challenging the claim that the
>inaccuracy of a WorstCaseTime function, or that the attacker can
>figure out what values the WorstCaseTime function returns for certain
>key length, can actively help the attacker factor out the dead time.)
>Furthermore, you assert that it isn't POSSIBLE (my emphasis) in
>reality to calculate WorstCaseTime to your "required" resolution. In
>my message, I said I personally have not analyzed the algorithm and
>implementation (and anyway, I was never superb at analyzing
>average/worst case times of algorithms in my algorithms classes) and
>therefore couldn't present an analytical formula, but that doesn't
>mean it cannot be done. In any case, I suggested that a statistically
>good enough estimate should be possible, and you haven't suggested
>anything to contradict that. [By statistically good enough, I mean
>that the chances of the estimate causing information about the real
>key to leak (when the estimate is too low) are acceptably low.]
References:
|
|
