17 Sep
2019
17 Sep
'19
5:19 p.m.
On Sep 17, 2019, at 6:51 PM, dwight via cctalk
<cctalk at classiccmp.org> wrote:
...
This latest one is bad for a touch typer or those that always enter the password in the
same way. It looks for the timing of when you hit keys and then makes guesses on what keys
would typically take that length of time to type.
Speaking of timing, that reminds me of two amazing security holes written up in the past
few years. Nothing to do with the Spectre etc. issue.
One is the recovery of speech from an encrypted VoIP channel such as Skype, by looking at
the sizes of the encrypted data blocks. (Look for a paper named "Hookt on
fon-iks" by White et al.) The fix for this is message padding.
The other is the recovery of the RSA private key in a smartphone by listening to the sound
it makes while decrypting. The fix for this is timing tweaks in the decryption inner
loop. (Look for a paper by, among others, Adi Shamir, the S in RSA and one of the
world's top cryptographers.)
It's pretty amazing what ways people find to break into security mechanisms.
paul