Timing attack experiment
Contents
Keywords
security, timing attack, constant-time string comparison
Objective
- Create a test environment to see whether a timing attack is feasible
- Analyze and document your findings
- Compare your results with those of your colleagues
- Write a constant-time string comparison function
Requirements
Create a program that contains a hard-coded string X="TrurlAndKlapaucius", compare it with a series of strings that are identical in length and different in the last N characters.
Adjust N in a loop, such that:
- everything matches (i.e. N=0)
- only the last character is different
- only the last 2
- only the last 3, etc.
Memorize the duration of each operation; it is a good idea to repeat the comparison multiple times in order to get an average value. This minimizes the effect of other processes that might consume CPU time while the comparison is taking place.
- Implement a constant-time string comparison function and repeat the experiment, noting the results. Are they different? Think about it.
Grading policy
Assuming that everything works right,
- 7 - implement the constant-time string comparison function
- 9 - gather data on comparison times in a log
- 10 - visualize your results graphically
Note: your experiment might fail to show any sign of a timing attack actually working. This is not a problem, as long as you document your results and offer some plausible explanations for this behaviour.
Self-test questions
- Why is a constant-time string comparison function necessary?
- What makes it difficult to accurately measure the time to compare two strings?
- How does the Hamming distance between two strings affect the time to compare them?
- What are the limitations of timing attacks?
- Which rules of thumb will thwart timing attacks against a system?
References
- http://en.wikipedia.org/wiki/Timing_attack
- http://pandas.pydata.org/ - might come in handy when you want to visualize data sets
