The idea is also similar to timing attacks against very, very badly-implemented password checking schemes; e.g. where a reply by some verifying server to a correct guess on the first n characters of a password takes slightly longer than a reply to a correct guess on only the initial n-1 characters (because an error is returned as soon as the first character is encountered).
In these cases, the attack is also linear since one character at a time can be guessed, and the timing of the response provides an indication of whether or not the guess is correct. I believe we've also seen this type of paradigm in many cryptanalytic instances wherein a guess for just a portion of a secret key can be verified, thereby reducing the time for a brute-force search since one first guesses this portion, and gets it right, before trying to guess the remainder of the key material. Regards, Zully ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Zulfikar Ramzan IP Dynamics, Inc. http://www.ipdynamics.com Unfettered, Simple VPNs > -----Original Message----- > From: Steven M. Bellovin [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 6:17 AM > To: EKR > Cc: [EMAIL PROTECTED] > Subject: Re: [Bodo Moeller <[EMAIL PROTECTED]>] OpenSSL Security Advisory: Timing- > based attacks on SSL/TLS with CBC encryption > > I'm struck by the similarity of this attack to Matt Blaze's master key > paper. In each case, you're guessing at one position at a time, and > using the response of the security system as an oracle. What's crucial > in both cases is the one-at-a-time aspect -- that's what makes the > attack linear instead of exponential. > > > --Steve Bellovin, http://www.research.att.com/~smb (me) > http://www.wilyhacker.com (2nd edition of "Firewalls" book) > > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]