December 7, 2017

Crypto Attacks Side-Channel Attacks

  • Timing Leaks - attacks based on measuring how much time various computations takes. For example algorithm known and start to guess key, if return fast the first bytes wrong if reply takes, you know that the first bytes are correct.
    • Mitigation: Constant time implementation
  • Error Oracles - return error leaks information, e.g. encoding typical error, etc. See also Bleichenbacher's attack on PKCS#1 and DROWN attack against SSLv2.
    • Mitigation: Ensure error does leak sensitive information, such as timing, interruptions, etc.
  • Software Bugs - all software contains bugs.
    • Mitigation: Patch or use more failsafe crypto
  • Optimizations - too clever solutions, can sometime be too clever
    • Mitigation: Do not try to outsmart yourself. Do not optimize if the outcome is marginal.

No comments: