Mercurial > dropbear

view libtomcrypt/notes/tech0002.txt @ 1499:2d450c1056e3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
options: Complete the transition to numeric toggles (`#if') For the sake of review, this commit alters only the code; the affiliated comments within the source files also need to be updated, but doing so now would obscure the operational changes that have been made here. * All on/off options have been switched to the numeric `#if' variant; that is the only way to make this `default_options.h.in' thing work in a reasonable manner. * There is now some very minor compile-time checking of the user's choice of options. * NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed. * ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST, and this commit completes that work. * DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option, which was added by the following commit: commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039 Author: Matt Johnston <[email protected]> Date: Tue May 23 22:29:21 2017 +0800 split out checkpubkey_line() separately It has now been added to `sysoptions.h' and defined as `0' by default. * The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in `default_options.h.in'; it is no longer meant to be set by the user, and is instead left to be defined in `sysoptions.h' (where it was already being defined) as merely the name of the environment variable in question: DROPBEAR_PASSWORD To enable or disable use of that environment variable, the user must now toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'. * The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the path of the sFTP server program is set independently through the usual SFTPSERVER_PATH.
author Michael Witten <mfwitten@gmail.com>
date Thu, 20 Jul 2017 19:38:26 +0000
parents 1b9e69c058d2
children
line wrap: on
line source

Tech Note 0002
How to avoid non-intrusive timing attacks with online computations
Tom St Denis

Introduction
------------

A timing attack is when an attacker can observe a side channel of the device (in this case time).  In this tech note
we consider only non-intrusive timing attacks with respect to online computations.  That is an attacker can
determine when a computation (such as a public key encryption) begins and ends but cannot observe the device 
directly.  This is specifically important for applications which transmit data via a public network.

Consider a Diffie-Hellman encryption which requires the sender to make up a public key "y = g^x mod p".  Libtomcrypt
uses the MPI bignum library to perform the operation.  The time it takes to compute y is controlled by the number
of 1 bits in the exponent 'x'.  To a large extent there will be the same number of squaring operations.  "1" bits in
the exponent require the sender to perform a multiplication.  This means to a certain extent an attacker can 
determine not only the magnitude of 'x' but the number of one bits.  With this information the attacker cannot directly
learn the key used.  However, good cryptography mandates the close scrutiny of any practical side channel.

Similar logic applies to the other various routines.  Fortunately for this case there is a simple solution.  First, 
determine the maximum time the particular operation can require.  For instance, on an Athlon 1.53Ghz XP processor a
DH-768 encryption requires roughly 50 milliseconds.  Take that time and round it up.  Now place a delay after the call.

For example, 

void demo(void) {
   clock_t t1;

   // get initial clock
   t1 = clock();
   
   // some PK function
   
   // now delay 
   while (clock() < (t1 + 100));
   
   // transmit data...
   
}

This code has the effect of taking at least 100 ms always.  In effect someone analyzing the traffic will see that the
operations always take a fixed amount of time.  Since no two platforms are the same this type of fix has not been 
incorporated into libtomcrypt (nor is it desired for many platforms).  This requires on the developers part to profile
the code to determine the delays required.

Note that this "quick" fix has no effect against an intrusive attacker.  For example, power consumption will drop
significantly in the loop after the operation.  However, this type of fix is more important to secure the user of the 
application/device.  For example, a user placing an order online won't try to cheat themselves by cracking open their
device and performing side-channel cryptanalysis.  An attacker over a network might try to use the timing information
against the user.