side-channel attacks

[Gadi Evron <ge () linuxbox org>]

Wayne J. Hauber wrote:
> Does this article seem plausible? If so, it adds a new security risk 
> that I had never considered.
>
> http://www.securityfocus.net/news/11318
>

I recently posted about this somewhere else.

Side channel attacks are not new. You can listen to the keyboard, cpu, 
hdd, etc. You can go with EM radiation. You can use a telescope to view 
through a window a reflection off a wall. All you have to do is Google. :)

But yes, side channel attacks are cool. Thing is, there are usually 
*much* easier ways of doing things.

A Trojan horse can also be considered a side-channel attack if we are 
talking encryption, which is exactly the difference between how crypto 
guys and security guys think.

If you ask a crypto guy what the best way of breaking RSA is, you'd get 
a complicated answer with if's, maybe's and math. If you ask a security 
guy (or in this case, me), I'd just say use a Trojan horse.

For crypto guys, once an algorithm is found weak it is no longer trusted 
and they try and develop new ones, which is good for their science. As 
security people the more vulnerabilities are found and fixed the more 
secure we feel (except for worrying that the coders suck and the holes 
will keep showing).

Back to side-channel attacks, try Googling for what Adi Shamir has to 
say on them. I love this subject. It's way cool.

    Gadi.

--
My blog: http://blogs.securiteam.com/?author=6

"The third principle of sentient life is the capacity for self-sacrifice 
--- the conscious ability to override evolution and self-preservation 
for a cause, a friend, a loved one."
        -- Draal, "A Voice in the Wilderness", Babylon 5.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.