Re: Successful remote AES key extraction

From: Vernon Schryver (vjs_at_calcite.rhyolite.com)
Date: 04/25/05 

Date: Sun, 24 Apr 2005 23:13:56 -0600 (MDT)

In article <slrnd6oqff.20d2.usenet@stoneport.math.uic.edu>,
D. J. Bernstein <djb@cr.yp.to> wrote:

> Unless you have a foothold inside your target's network, a network
> round trip is likely to be at least 50 milliseconds. 2^27 50 ms
> round trips for 400 byte blocks require about 1800 hours or 75 days
> and 50 GByte.
>
>which asserts that Internet links are limited to 8 kilobytes per second.
>(``Hide the servers, Spock! It's an 8KBps flood! We're under attack!'')

That is a knowing misrepresentation and quoting out of context of my
point. It intentionally confounds of bits per second of a spew of
UDP/IP packets with TCP/IP probes per second. We've already been over
the fact that for at least many target applications, a round trip will
be required for each probe. Each probe will be early in a TCP session
and the failure of the probe to decrypt will cause the target to write
to its log and break the TCP connection. If you're waiting for round
trips, you won't be running very fast.

>I recall one point where Vernon asked a simple question (whether there
>were always block-count limits) and I answered it. But most of his
>postings have been garbage and deserve to be treated as such.

D.J.Bernstein's answer to that mostly rhetorical question was not quite
right. Because I didn't challenge it, he assumed I didn't notice the
misstatement--or didn't notice it himself.

None of us knows much of anything, but some people are incapable of
admitting their own ignorance and so cannot check facts before
pontificating. Thus we have the spectacle of claims including
  - "many" existing AES installations are genuinely vulernable to
      network cache timing attacks.
  - NTP is a simple time of day protocol like port 13 or 37.
  - typical Internet path delays are stable to 10 microseconds
  - assymetric path delays can have no effects on remote timing measurements.
  - snooping on VPN traffic for a timing attack is easy.

After staying under his radar since he came to my notice with his
complaints about the IDENT protocool being a theft of his TAP
(or something like that...I never understood despite reading his
endless IETF complaints. see
http://www.google.com/search?q=dan+bernstein+TAP+site:ietf.org
and http://www.google.com/search?q=dan+bernstein+site:ietf.org )
I have committed the mortal sin of openly disagreeing and refusing to
be awed or cowed.

His contribution of pointing out that cache misses are visible over
LANs with a extremely artificial toy server that does the hard work
with timestamps is valuable, but not valuable enough pander to delusions
of grandeur by pretending that the AES sky has fallen.

Note that despite all of his talk about measuring timing over the
network, D.J.Bernstein reported doing none that! The toy server did
the measuring with its own high resolution clock. Given those timestamps,
it's not clear what the network parts of his test were supposed to
show--no that's wrong--it's clear what he wants readers to overlook
and assume. Read carefully and see that his proof that honest network
time of AES cache misses is possible is a reference to other people's
work measuring signals 100 times larger over a campus network. Also
read http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf to see he
forgot to mention they in effect considered measuring cache misses,
albeit not as a goal but for a difficulty in their experiments.

enough.

Vernon Schryver vjs@rhyolite.com

Relevant Pages

  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.general)
Quantcast