Hi, Mauro Lacy wrote:
> This paper describes remote timing techniques based on TCP/IP intrinsic operation >and options. The techniques are used for careful observation of the TCP/IP data >stream to detect timing differences in the operation of the remote application and >relate them to selected data and/or phenomena. This reminds me of http://online.securityfocus.com/archive/82/185167 (+see the thread) which also discusses something like this (timing techniques) and the "additional noise" such as task switches, etc. > I'll quote here a comment by Paul Kocher, who told me in a private communication > > "You might want to try some ... statistical attacks ... > ... -- using them, even very tiny differences (<1 us) can > be resolved even if there is quite a lot of measurement error > (>1 ms)... . The general math required > is quite simple - you'd want to look for the difference between > the *average* time when [for example] n bytes of a password > are correct and the average time when n+1 bytes of the password > are correct." I also remember this reply with another aproach to this problem: (from http://online.securityfocus.com/archive/82/186161 ) Quote: > Why noise-filtering? Since there seem to be no invalid low numbers, > just take the minimum of a certain amount of tries (1000, 10000) > and check whether those give you a clue -- i.e. try to find > the ones with the lowest noise and compare them. I didn't read this all yet (it's a bit late), but it looks very interresting... Bram Matthys.
