Opportunities and Limits of Remote Timing Attacks

Many algorithms can take a variable amount of time to complete depending on the data being processed. These timing differences can sometimes disclose confidential information. Indeed, researchers have been able to reconstruct an RSA private key purely by querying an SSL Web server and timing the results. Our work analyzes the limits of attacks based on accurately measuring network response times and jitter over a local network and across the Internet. We present the design of filters to significantly reduce the effects of jitter, allowing an attacker to measure events with 15-100μs accuracy across the Internet, and as good as 100ns over a local network. Notably, security-related algorithms on Web servers and other network servers need to be carefully engineered to avoid timing channel leaks at the accuracy demonstrated in this article.

[1]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[2]  Butler W. Lampson,et al.  Hints for Computer System Design , 1983, IEEE Software.

[3]  D. Lindley Introduction to the Practice of Statistics , 1990, Mathematical Gazette.

[4]  H. J. Arnold Introduction to the Practice of Statistics , 1990 .

[5]  David L. Mills,et al.  Internet time synchronization: the network time protocol , 1991, IEEE Trans. Commun..

[6]  Amarnath Mukherjee,et al.  On the Dynamics and Significance of Low Frequency Components of Internet Load , 1992 .

[7]  kc claffy,et al.  Measurement considerations for assessing unidirectional latencies , 1993 .

[8]  Ashok K. Agrawala,et al.  Experimental assessment of end-to-end behavior on Internet , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[9]  George C. Polyzos,et al.  Measurement Considerations for Assessing Unidirectional Latencies � , 1993 .

[10]  Jean-Chrysostome Bolot,et al.  End-to-end packet delay and loss behavior in the internet , 1993, SIGCOMM '93.

[11]  Jean-Chrysotome Bolot End-to-end packet delay and loss behavior in the internet , 1993, SIGCOMM 1993.

[12]  E. Ziegel Introduction to the Practice of Statistics (2nd ed.) , 1994 .

[13]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[14]  Vern Paxson,et al.  End-to-end Internet packet dynamics , 1997, SIGCOMM '97.

[15]  Vern Paxson,et al.  Measurements and analysis of end-to-end Internet dynamics , 1997 .

[16]  A. Acharya,et al.  A Study of Internet Round-trip Delay , 1998 .

[17]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[18]  Vern Paxson,et al.  On calibrating measurements of packet transit times , 1998, SIGMETRICS '98/PERFORMANCE '98.

[19]  Vern Paxson End-to-end internet packet dynamics , 1999, TNET.

[20]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[21]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[22]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[23]  Paul Barford,et al.  Critical path analysis of TCP transactions , 2000, SIGCOMM.

[24]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[25]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[26]  Darryl Veitch,et al.  PC based precision timing without GPS , 2002, SIGMETRICS '02.

[27]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[28]  Schindler Werner OPTIMIZED TIMING ATTACKS AGAINST PUBLIC KEY CRYPTOSYSTEMS , 2002 .

[29]  S. Jamin,et al.  Challenges and Lessons Learned in Measuring Path RTT for Proximity-based Applications , 2002 .

[30]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[31]  Markus G. Kuhn,et al.  Optical time-domain eavesdropping risks of CRT displays , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[33]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[34]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[35]  Darryl Veitch,et al.  Robust synchronization of software clocks across the internet , 2004, IMC '04.

[36]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[37]  Michael Evans,et al.  Introduction to the Practice of Statistics Minitab Manual and Minitab Version 14 , 2005 .

[38]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[39]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[40]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[41]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[42]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES (Short Paper) , 2006, ICICS.

[43]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[44]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[45]  Jean-Pierre Seifert,et al.  Micro-Architectural Cryptanalysis , 2007, IEEE Security & Privacy.

[46]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[47]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[48]  William Whyte,et al.  Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls , 2007, CT-RSA.

[49]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .