The vulnerability of two implementations of the Data Encryption Standard (DES) to timing attacks--attacks that recover information by noting how long it takes to perform cryptographic operations--is clearly described. Timing attacks were first proposed by Kocher.
One of the implementations analyzed is from the RSAEuro cryptographic toolkit; the other is due to Louko. The authors found that, in these implementations, there is an approximately linear relationship between the Hamming weight of the key and the duration of the operation. The statistics for this relationship were derived from 216 time measurements of encryption and key generation operations using random keys. (The paper includes an interesting appendix on timing under the MS-DOS operating system.) The authors present an extensive statistical analysis whose aim is to show that an attacker can derive information about the key without knowledge of the design characteristics of the target system. Finally, they suggest “blinding techniques” that normalize the encryption time and thus protect a system from attack.
The fault is evidently in the code for key generation; any cryptographic protocol using a key schedule is therefore potentially vulnerable. These errors can be subtle; for example, any code of the form if (cond) block1 else block2, where cond depends on each bit of the key in turn, and in which the two blocks have different execution times, could enable a timing attack. I examined some DES implementations in vain, searching for such code. Thus, it appears that a programmer aware of this attack can prevent it by careful coding. In other words, vulnerability to timing attacks appears to be a function of the implementation, not of the algorithm.
These results seem to apply to two specific implementations of one specific algorithm, but the possibility remains that similar attacks might be effective on other implementations of DES and other algorithms. In particular, the US National Institute of Standards and Technology is currently researching algorithms for an Advanced Encryption Standard (AES). Are these algorithms vulnerable to attack? Also, even if a blinding method were to succeed in averting the attack, the system’s throughput would be reduced.
