TBTF for 1995-12-15: Timing is all; Microsoft security in the crosshairs

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Previous message: Keith Dawson: "TBTF for 1995-12-10: Punctuated equilibrium: Visual Basic vs. Java"

Quantum computers and quantum physics See also TBTF for 1999-10-05, 01-04, 1998-11-03, 10-27, 09-14, 03-09, 03-02, 02-23, 1997-11-24, 09-15, 05-22, more...

Fundamental vulnerability identified in many public-key cryptosystems

Paul Kocher <pck at cryptography dot com> has discovered that some implementations
of public-key cryptosystems are vulnerable to an attack based on timing en-
cryption/decryption operations. Kocher's insight was that accurate timing of
these operations might yield information about the keys being used. The at-
tack is valid in theory against most of the public-key systems in widespread
use today: RSA, DES, Diffie-Hellman, and others. Kocher has written a prelim-
inary paper which the mathematically inclined among you might want to peruse:
<http://www.cryptography.com/timingattack.html>. Here is its abstract.

> ABSTRACT. Cryptosystems often take slightly different amounts of time
> to process different messages. With network-based cryptosystems, cryp-
> tographic tokens, and many other applications, attackers can measure
> the amount of time used to complete cryptographic operations. This ab-
> stract shows that timing channels can, and often do, leak key mater-
> ial. The attacks are particularly alarming because they often require
> only known ciphertext, work even if timing measurements are somewhat
> inaccurate, are computationally easy, and are difficult to detect.
> This preliminary draft outlines attacks that can find secret exponents
> in Diffie-Hellman key exchange, factor RSA keys, and find DSS secret
> parameters. Other symmetric and asymmetric cryptographic functions are
> also at risk. A complete description of the attack will be presented
> in a full paper, to be released later. I conclude by noting that
> closing timing channels is often more difficult than might be ex-
> pected.

Kocher is cautious enough to stress that the full significance of his dis-
covery is not yet known; but reportedly everyone who has seen his paper
(including Matt Blaze, Martin Hellman, and Ron Rivest) believes it to be
important.

You might imagine that a timing-based attack of this sort could be pre-
empted by careful design, for instance by introducing random time delays
in encryption/decryption algorithms. But existing, deployed systems are
going to be difficult to patch up. Kocher is consulting with Netscape and
others to help design defenses against the vulnerability he has discovered.

The real damage this discovery does is to the confidence we can invest in
any given approach to cryptography over the long haul. I've been expecting
a development like this ever since I heard Ron Rivest speak on the then-new
technique of public-key encryption at DEC's research labs in 1977. I can't
claim any insight or prescience as to what kind of invention might eventual-
ly undermine PK -- I would have favored someone discovering a fast way to
factor primes. But in general it's not wise to bet on long-term limits to
human inventiveness.

What can we believe in? A provably secure encryption system, if such is pos-
sible. One-time pads? A knowledgable source tells me that "every time one-
time pads are mentioned, the cypherpunks list laughs." I plan to investigate
this claim and will let you know what I find. For one such proposal see TBTF
for 1995-10-03. Encryption based on quantum uncertainty? British Telecomm is
experimenting in this area, but practical applications, if any, are years away.

Microsoft security bugs and exploits See also TBTF for 1999-08-30, 1998-02-02, 01-26, 01-19, 1997-11-17, 11-10, 10-20, 08-11, 06-23, 05-22, 05-08, more...

Microsoft quietly patches over a security chasm

A Win95 security bug has been discussed on the Windows 95 Net Bugs newsgroup
since 11/1. At this moment news of this bug headlines the newsgroup's FAQ at
<http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html>. The bug in-
volves weak protection of the password of the Windows screensaver; instruc-
tions for cracking the password were posted to the Net. Microsoft has claimed
that no customers have complained about the problem, which seems not to be
strictly true. On 12/7 (the day of the Internet strategy announcements) Mic-
rosoft quietly posted a patch, and on 12/14 moved it to an official software-
update area; see <http://www.microsoft.com/windows/software/mspwlupd.htm>.
When you see this news in print, most likely first in PC Week, they'll cite
the old URL.

Thanks to FAQ owner Rich Graves <llurch at networking dot stanford dot edu> for the heads-
up on this affair.

Community ConneXion strikes again

The Berkeley "Internet Privacy Provider" that offered a tee shirt for suc-
cessfully hacking Netscape (and apparently inspired Netscape's own Bugs Bounty
program -- see next item) has opened up a new competition. Hackers are now
invited to discover and document security flaws in Microsoft products. The
contest is introduced on the C2 pages <http://www.c2.org/hackmsoft/> thus:

Netscape Bugs Bounties claimed

Netscape awarded two $1000 prizes to the discoverers of security-related
bugs or vulnerabilities in Netscape products. One went, not surprisingly,
to Paul Kocher (see above), though Netscape is careful to stress that Kocher
did not prove that Netscape Navigator in particular could be compromised by
applying his technique. (Disingenuous, I calls it.) The other prize was
awarded to Scott Weston <scott at tripleg dot com dot au>, whose claim to it I endorsed
in TBTF for 1995-12-02. Scott discovered and publicly exposed a security flaw in
Netscape Navigator 2.0 beta 2 that allowed JavaScript to extract the history of
a user's browser session. Netscape had already fixed the vulnerability by the time
of beta 3.

Everybody's getting an Internet strategy

The week after Microsoft surprised one and all with its Internet strategy
(see TBTF for 1995-12-02) Lotus announced one too. A tight integration of
Notes with HTTP, HTML, both secure sockets and secure HTTP, and Java
marks the growing consolidation of the formerly separate markets for
groupware, messaging applications, and the Web. Lotus will bundle a browser
with the next release of Notes and in a later release include a Web server
as well. Eventually Lotus may be backed into offering most of the Notes
functionality in its Web browser, given Microsoft's intention to incorporate
its not-yet-released Exchange into its Explorer browser. Lotus's announcement
means that they (and IBM) will stay solidly in the game against Microsoft (with
Exchange) and Netscape (with Collabra).

<http://www.lotus.com/mediadv/> is the top page for coverage of the Lotus
strategy and announcements. The white paper "Lotus Notes and the Internet"
at <http://www.lotus.com/mediadv/inwhtp.htm> provides a useful overview; its
appendixes summarize the products announced.

Essential tools

• Web style manual: Where do you go for authoritative advice on Web-site de-
  sign -- in other words, where is the Web's Chicago Manual of Style, its
  Joy of Cooking? My nomination is the Yale Center for Advanced Instruc-
  tional Media Web Style Manual. This elegant set of pages is self-refer-
  entially exemplary, as a good style manual should be. (Anyone remember
  Fleisch's little classic Type: How to Make It Most Readable?) Yale's
  Patrick J. Lynch <lynch at biomed dot med dot yale dot edu> is a good designer and a good
  teacher; his advice has the timelessness of Strunk and White's The Ele-
  ments of Style, and it will still be relevant when we're well into the
  era of Java-enhanced multimedia pages delivered at 6 Mbps to your screen.
  

  <http://info.med.yale.edu/caim/StyleManual_Top.HTML>.
  

Don't look now

You cast your stone upon the waters and never know how far the ripples will
spread, to thoroughly mix a metaphor (and to egregiously split an infinitive).
There aren't yet any direct subscribers to TBTF at Netscape or Sun, but these
two stories appeared in Edupage the day after TBTF for 1995-12-10 hit the wires.
a Sun spokesman using the metaphor of prevertabrate evolution; the second
cites the Netscape CEO sounding uncannily like a Muhajadhin fighter. Coinci-
dence? Perhaps.

>>From Edupage (1995-12-11):

> ...Microsoft is putting together a formidable laboratory of computer
> research stars responsible for many major advances in the past two
> decades, although skeptics such as Sun's John Gage suggest their
> future is behind them: "The computer industry is preparing for the
> new life forms to emerge. Is Microsoft going down a pathway that
> refines jellyfish when it's time to leap to vertebrates?" (New York
> Times 11 Dec 95 C3)

> Netscape has vowed to wage a "dogfight" with Microsoft in setting
> standards for Internet software. CEO James Barksdale says his company
> will continue to develop products that operate independently of any
> particular computer operating system, noting that, "We offer freedom
> to the masses. It's a tough fight -- I'll grant you that -- but we're
> brave. We're well financed. We believe that God is on our side."
> (Investor's Business Daily 11 Dec 95 A7)

>>Edupage -- mail listproc@educom.edu without subject
> and with message: subscribe edupage <your name> .

• Previous message: Keith Dawson: "TBTF for 1995-12-10: Punctuated equilibrium: Visual Basic vs. Java"