No subject


Wed Apr 6 21:09:32 CEST 2005


S-boxes would seem to be susceptible to this class of attack. I think
that would include 3DES, Twofish, etc. from what I know of their design.
=20
> 3) Would it be easier to write a fast implementation of some=20
> other cipher=20
> that is immune to this kind of timing attacks?

Not for me ;-).

> 4) What are the plans for GnuPG?

I do not think this timing attack is a serious issue for GnuPG, since it
does not work as an encrypting server that encrypts and transmits
packets in real time. Obtaining timing data would require a compromise
of the local machine. If an attacker can do that, why wouldn't the
attacker just snag the pass phrase from the keyboard, or the plaintext?

There may be some implications for GPG systems which automatically
receive-encrypt-forward, such as GPGrelay. However, since a different
block cipher key is used with each run in OpenPGP, obtaining enough
accurate timing data might be impossible. In the attack, the same key is
used to encrypt different plaintext repeatedly.

I think the real implications of this attack are for VPNs or other
"encrypting oracle" network services. But most site-to-site VPN devices
use hardware ASICs these days, which would probably mean a constant-time
implementation of AES and 3DES at least. Attacking software-based VPN
clients may be a possibility, but again a local compromise of the
machine is probably an easier attack to mount - even if it is running a
hardened FreeBSD or something similar.

Regards,
	Ryan



More information about the Gnupg-users mailing list