In Cryptanalyse, a attacks temporal consists to estimate and analyze time put to carry out certain cryptographic operations with an aim of discovering secret information. Certain operations can take more time than others and the study of this temporal information can be invaluable for the cryptanalyste. The implementation of this kind of attack is closely related on the hardware or the attacked software.

Limitations

Temporal attacks can also be done remotely, via a network. The observation of the times in a system is in general subjected to random disturbances. This is all the more true as the observation is done via a network. The majority of the temporal attacks require that the adversary know the details of the implementation. However, these attacks can be also used to identify the algorithms employed and to make engineering reverses.

Attacks on asymmetrical cryptography

The algorithms of modular exponentation are expensive, the execution time depends linearly on the number of bits with “1” in the key. If to know the number from “1” is not always sufficient information to find the key, the statistical stepping between several codings with this key can offer new possibilities to the cryptanalyste.

Attacks on a network

In 2003, Boneh and Brumley showed a practical attack against waiters SSL. Their cryptanalyse is based on vulnerabilities discovered in the implementations of the Théorème of the Chinese remainders. The attack however was conducted through a network of limited size but it showed that this type of attack was serious and practicable in the space of a few hours. The implementations were improved to limit the correlations between the key and the time of coding.

Attacks on codings per block

The codings per block are in general less sensitive to the temporal attacks, the correlation between the key and the operations being limited, but those exist nevertheless. The majority rest over times put to reach the various tables (for example the S-Box be).

In 2005, Daniel J. Bernstein showed that an attack against a vulnerable implementation of AES was possible starting from the mask of the modern processors of the PC (AMD or Intel). Bernstein reproaches NIST for having neglected these problems at the time of the Concours AES, it adds that the NIST was mistaken on the basis of the principle that the access time to the tables was constant.

Example of attack

In 1996, Paul Kocher exhibe a fault in an establishment of the calculation of the modular Exponentiation. The algorithm consists in calculating $R\; =\; y^x$ MOD $n$, with $n$ public, and $y$ obtained by espionage (or any another manner). The goal of the attacker is to find the value of $x$ (the secret key).

So that this attack proceeds correctly, the “victim” must calculate $y^x$ MOD $n$ for several values of $y$, where $y$, $n$ and the time computing (with a sufficiently fine grain) are known attacker.

Here the algorithm, with $w$ the number of bits length of $x$.

Is $s\_0\; =\; 1$

For $k$ energy of $0$ with $w\; -\; 1$ to make

If the $k$-ème bit of $x$ is worth 1

Alors $R\_k\; =\; (s\_k\; \backslash \; times\; there)$ MOD $n$

If not $R\_k\; =\; S\_k$

$S\_\; \{k+1\}\; =\; R^2\_\; \{K\}$ MOD $n$

FinPour

Renvoyer ($R\_w\; -\; 1$)

It is noticed that according to the value of the bit, one calculates either $(S\_k\; \backslash \; times\; there)$ MOD $n$ or nothing (in fact, one carries out the assignment $R\_k\; =\; S\_k$, but in term of computing time it is negligible). Thus if one can sufficiently finely observe the execution time of the algorithm, one can deduce the value from the bit according to the computing time, and thus completely recover the secrecy while proceeding by iteration on the bits $0\; \backslash \; ldots\; b-1$ of the exhibitor.

External bonds

• Mask-timing attacks one AES, paper of Daniel Bernstein.
• Attacks Timing one Implementations off Diffie-Hellman, RSA, DSS, and Other Systems, the article of Paul C. Kocher.

Random links:

Amygdala (brain) | Jean Ignace of the City | Raf Simons | Shark griset | Trilobachne