so much for security :-)

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
hamei
Posts: 10433
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

so much for security :-)

Unread postby hamei » Sat Dec 23, 2006 7:00 am

http://www.roumazeilles.net/news/en/wor ... -networks/

"Public-Key cryptography ready to shatter?

Sunday, November 19th, 2006

Public-Key Cryptography is a very common technique used to protect sensitive information by encoding it in such a way that decoding relies on the extreme difficulty of some mathematics techniques (like finding the root factors of a prime integer). Today, a large part of our security is relying on this (including most of the secure communications over Internet).

But German cryptologist, Jean-Pierre Seifert (Universities of Haïfa and Innsbruck) seems on the bring of reavealing an unusual line of attack to this critical technology. He is set to present this in the next RSA conference in 2007. This could be a shattering blow to Internet security as we know it.

Essentially, the attack relies on the possibility to observe the operation of the CPU itself. Today’s microprocessors include a technique known as predictive branching that tries to anticipate results of some calculations. If the prediction is right, everything is very fast, if not the microprocessor still has to do a lengthy calculation. This results usually in huge performance improvements, but for the cryptologist it means that without knowing too much you can identify (from the exterior) what the microprocessor calculation results are, just by looking at the time it takes to do the computation steps.

This opens the door to a new generation of spying software that could rather easily crack the secret keys of some of the communications we consider quite secure. For the moment, since no precise details have been given, and since no demonstration has been made in the public, we are rather secure, but the vast majority of the specialists already consider that approach will certainly lead to a flurry of new easy-to-write spyware (before that cracking the secure key of those communications could take from years to millions of millenia of heavy computation; now we are speaking of near instantaneous break through)."

Interesting. Kinda like they investigate nukular physics - crash two trains in a tunnel then see what parts fly out the ends :P

big_mark_h
Posts: 188
Joined: Tue Jul 12, 2005 12:40 pm
Location: Merry old England

Unread postby big_mark_h » Sat Dec 23, 2006 4:18 pm

Damn! April fools day gets earlier every year....

This technique sounds like it might work, at least until you switch your brain on and think for a second. For example ...

without knowing too much you can identify (from the exterior) what the microprocessor calculation results are, just by looking at the time it takes to do the computation steps.


For the love of god... Thats a bit like saying "since it took 3 seconds for you to work out the result for (a*b)+c, the answer must be seven" :roll: Even if you know how long each step of a calculation took and can use this to somehow infer what those steps are, you still need to know the value of all variables before you can get the correct answer. Which means it will still take years for a supercomputer to crack any half decent crypto algorithms.....
I'm a pessimist, which makes me like a German vegetarian; I fear the wurst.

User avatar
Dr. Dave
Posts: 2311
Joined: Fri Feb 13, 2004 10:37 pm
Location: Ottawa, Canada >burp<

Unread postby Dr. Dave » Mon May 07, 2007 10:16 am

I believe I read this paper last year. The science (on the one I read) was good, however it required careful setup and analysis to carry out, in a very controlled environment. It exploits watching the cache usage to attempt to compute the key by inferring values from the pattern of usage found in the cache.

Hardly an effective hack due to constraints, yet it does actually work.

That is, assuming this is the same paper.

(I've worked off and on in the computer security field for quite some time, and thus this is why the article came to my attention previously).
:O3000: <> :O3000: :O2000: :Tezro: :Fuel: x2+ :Octane2: :Octane: x3 :1600SW: x2 :O2: x2+ :Indigo2IMP: :Indigo2: x2 :Indigo: x3 :Indy: x2+

Once you step up to the big iron, you learn all about physics, electrical standards, and first aid - usually all in the same day


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest