[Haskell-cafe] Tor project
mike at proclivis.com
Thu Jul 31 23:42:19 UTC 2014
I am not an expert, but I think timing attacks try to push data though a system and look for time dependent calculations. If every packet that leaves a system has the same data size and the same encryption time, the attacker would not be able to detect any difference in time wrt difference in data. Time could also vary if you mucked with the voltage of the CPU, or if some calculation could.
I would guess that if it is not possible to make all packages the same size and time, randomizing time would hide time differences. However, it may be possible to extract randomness. This is just a conjecture on my part.
A work around might be to use hardware encryption. I work on an A9, and with openssl, there is the option to have hardware do the actual encryption, etc. I have not had the time to implement this, but I believe that Linux for IMX6 has support for hardware encryption. If nothing else, it is best to use the hardware for random number generation.
My interested would be to run it on my Wandboard and Yocto linux. Hence my questions about cross-compilers. I am still stuck on that problem because I have not figure out how to make GHC pass architecture options to the gcc cross compiler but not to the local linux gcc. It seems some variables in the build are tied together. But eventually I’ll probably figure it out.
I think the Hypervisor approach is also interesting. Just build a mini OS with TLS and Tor. That could reduce the attack surface by eliminating Linux. This would be interesting for a repeater. I was thinking doing the same onto of a smaller kernel such as eCos. I tried to get GHC running on that, but there is some missing POSIX support, so I went back to linux.
On Jul 31, 2014, at 3:11 PM, Wojtek Narczyński <wojtek at power.com.pl> wrote:
> On 31.07.2014 18:59, Adam Wick wrote:
>> As for TLS, it is possible that timing attacks based on a functional language implementation could be more likely than those for a traditional C implementation. (...) I don’t believe the balance has been studied, but it’d be interesting.
> I believe no evidence is available, not even anecdotal. And it would be rather expensive a subject to study.
> But, AFAIK, the (necessary and sufficient) protection against timing attacks is the addition of randomized waits. In the protocol layer, not in pure encryption/decryption/hashing routines. I strive not to use words I don't understand, but I have the M. word in mind for structuring such a computation.
> In other words, I think it is a myth.
> Kind regards,
> Wojtek N.
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
More information about the Haskell-Cafe