Cryptography
- aes cryptanalysis attack timing-attack
- Updated Sun, 19 Jun 2022 01:56:10 GMT
-
What are the implications of a non “constant time” implementations on trusted systems in a non-network scenario?
Assume a scenario where a symmetric encryption algorithm (for example: AES) wasn't implemented in a way it would safeguard against timing attacks. This symmetric encryption implementation is only used locally to encrypt/decrypt data.
The only time that data is passed via a network (if at all), it is done so as pre-encrypted data (read: as locally created ciphertext). Yet, network transport itself is implemented differently, uses SSL, and doesn't have any constant time issue. Practically this means that if, the locally created ciphertext passes the wire in a let's just call it double-encrypted form. So, let's not focus on network transport, but rather on the core of the scenario which I'm asking about: the local, non-network part where data is encrypted/decrypted locally using a different, non constant time implementation.
In the above scenario, it seems as if timing attacks aren't much of an attack vector unless we assume trusting local systems might be a problem, which in this scenario can be ruled out as the local systems are trusted (think along the lines of a Sensitive Compartmented Information Facility).
To be sure I'm not missing something due to limiting my thoughts too much on network-related timing attacks:
- What are the potential implications of a non constant time implementations on trusted systems in a non-network scenario, if any?
Differently put:
- If we assume the local, non-network encryption/decryption to be handled by trusted systems in a compartmented facility, do we still have to worry about implementing that local encryption algo in constant time? If so, what are the attack vectors we're trying to cover by doing so?
Solution
"Constant-time" is about not leaking information through timing-based side-channels. If you assume that there is no side-channel, then, in particular, there is no side-channel attack. It is nevertheless a rather bold assumption.
There is a large variety of possible side-channels, and lab demonstrations of attacks have been done exploiting, among others, power usage (especially through differential power analysis), electromagnetic emissions, sound,... Most, though, require the attacker to be in the physical vicinity of the target systems (the actual operating distance may vary, e.g. up to a few dozen meters for sound-based attacks). Timing attacks are special in that respect, since, thanks to the magic of the Internet, they may be exploitable from very remote attackers.
If there is no network, then attacks will be geographically constrained, and thus physical protection measures (isolated building with guards) should be effective. So, in effect, your question really hinges on whether the target system is really "compartmented". As illustrations, consider the following:
Some of the demonstrations of timing attacks have been across virtual machines: the attacker and the victim run in two different VM that merely happens to be cohosted on the same hardware. From an abstract point of view, the isolation contract of the VM is fulfilled; and still, the keys flow.
Not leaving physical tracks is incredibly difficult. For instance, it is possibly to listen on conversations held in a room from a large distance, with a laser microphone: a reflective surface (e.g. a window) vibrates in response to the sound waves, and such vibrations are picked up with interferometry. Theoretically, this kind of listening should work with acoustic attacks.
Electrical activity may leak over power lines. A nominally non-networked system may still send considerable information, unwittingly, over its power cable. This can be fixed with isolation transformers, but ascertaining that such transformers are in place where they should can be quite difficult.
Ultimately, systems are never completely isolated: at some point, some result should exit and have a physically observable effect; otherwise, whatever the system does becomes irrelevant, from a philosophical point of view. Therefore, the overall processing time is available. Then it is a matter of quantifying the precision of the measure.
Thus, in practice, having a non-constant-time AES implementation can be guaranteed not to be an issue only in usage contexts where true physical compartmentation can be shown to be applied, and, in particular, where the ultimate "networking" happens in human-compatible time (i.e. in a matter of days, not microseconds). This tends to be the kind of context where performance is not an issue, thereby removing the most common excuse for using non-constant-time implementations.
External Links
External links referenced by this document: