[VulnWatch] OpenSSL Private Key Disclosure
From: Chris Wysopal (firstname.lastname@example.org)
Date: Fri, 14 Mar 2003 05:05:37 +0000 (GMT) From: Chris Wysopal <email@example.com> To: firstname.lastname@example.org
Remote timing attacks are practical
Authors: D. Boneh and D. Brumley
Timing attacks are usually used to attack weak computing devices such as
smartcards. We show that timing attacks apply to general software systems.
Specifically, we devise a timing attack against OpenSSL. Our experiments
show that we can extract private keys from an OpenSSL-based web server
running on a machine in the local network. Our results demonstrate that
timing attacks against network servers are practical and therefore all
security systems should defend against them.
Submitted to Usenix Security.