> On Sep 17, 2019, at 6:51 PM, dwight via cctalk <cctalk@classiccmp.org> wrote:
>
> ...
> This latest one is bad for a touch typer or those that always enter the
> password in the same way. It looks for the timing of when you hit keys and
> then makes guesses on what keys would typically take that length of time to
> type.
Speaking of timing, that reminds me of two amazing security holes written up in
the past few years. Nothing to do with the Spectre etc. issue.
One is the recovery of speech from an encrypted VoIP channel such as Skype, by
looking at the sizes of the encrypted data blocks. (Look for a paper named
"Hookt on fon-iks" by White et al.) The fix for this is message padding.
The other is the recovery of the RSA private key in a smartphone by listening
to the sound it makes while decrypting. The fix for this is timing tweaks in
the decryption inner loop. (Look for a paper by, among others, Adi Shamir, the
S in RSA and one of the world's top cryptographers.)
It's pretty amazing what ways people find to break into security mechanisms.
paul
