Saturday, May 08, 2010

Why you should always use trusted libraries for Cryptographic algorithms

Cryptography is an extremely hard subject with subtleties that are hard for most developers to understand. It is for this reason that you must always find trusted sources for your Cryptographic needs (eg: Microsoft’s System.Security.Cryptography namespace), because even if the vulnerability exists you know there is a large team of developers working on fixing the issue immediately.

Today I came across this paper that shows how even simple operations like comparison of values can be implemented in such a way that they can end up exposing your system.

The attack is called a “Remote Timing Attack”. Basically it uses the fact that when comparisons are performed between keys, the comparisons are performed byte by byte. This in turn means that the longer the comparison takes, the more bytes the attacker has correct in his attack key.

Here is a paper that goes more in depth into this type of attack “Remote Timing Attacks are Possible”: http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Bottom line: Never try to stoke your dev ego by implementing cryptographic algorithms for use in a production environment. Always find a trusted library from a trusted source.

No comments: