| 1 | .. -*- coding: utf-8-with-signature -*- |
|---|
| 2 | |
|---|
| 3 | ======================================================= |
|---|
| 4 | Things To Be Careful About As We Venture Boldly Forth |
|---|
| 5 | ======================================================= |
|---|
| 6 | |
|---|
| 7 | See also :doc:`known_issues`. |
|---|
| 8 | |
|---|
| 9 | Timing Attacks |
|---|
| 10 | ============== |
|---|
| 11 | |
|---|
| 12 | Asymmetric-key cryptography operations are particularly sensitive to |
|---|
| 13 | side-channel attacks. Unless the library is carefully hardened against timing |
|---|
| 14 | attacks, it is dangerous to allow an attacker to measure how long signature |
|---|
| 15 | and pubkey-derivation operations take. With enough samples, the attacker can |
|---|
| 16 | deduce the private signing key from these measurements. (Note that |
|---|
| 17 | verification operations are only sensitive if the verifying key is secret, |
|---|
| 18 | which is not the case for anything in Tahoe). |
|---|
| 19 | |
|---|
| 20 | We currently use private-key operations in mutable-file writes, and |
|---|
| 21 | anticipate using them in signed-introducer announcements and accounting |
|---|
| 22 | setup. |
|---|
| 23 | |
|---|
| 24 | Mutable-file writes can reveal timing information to the attacker because the |
|---|
| 25 | signature operation takes place in the middle of a read-modify-write cycle. |
|---|
| 26 | Modifying a directory requires downloading the old contents of the mutable |
|---|
| 27 | file, modifying the contents, signing the new contents, then uploading the |
|---|
| 28 | new contents. By observing the elapsed time between the receipt of the last |
|---|
| 29 | packet for the download, and the emission of the first packet of the upload, |
|---|
| 30 | the attacker will learn information about how long the signature took. The |
|---|
| 31 | attacker might ensure that they run one of the servers, and delay responding |
|---|
| 32 | to the download request so that their packet is the last one needed by the |
|---|
| 33 | client. They might also manage to be the first server to which a new upload |
|---|
| 34 | packet is sent. This attack gives the adversary timing information about one |
|---|
| 35 | signature operation per mutable-file write. Note that the UCWE |
|---|
| 36 | automatic-retry response (used by default in directory modification code) can |
|---|
| 37 | cause multiple mutable-file read-modify-write cycles per user-triggered |
|---|
| 38 | operation, giving the adversary a slightly higher multiplier. |
|---|
| 39 | |
|---|
| 40 | The signed-introducer announcement involves a signature made as the client |
|---|
| 41 | node is booting, before the first connection is established to the |
|---|
| 42 | Introducer. This might reveal timing information if any information is |
|---|
| 43 | revealed about the client's exact boot time: the signature operation starts a |
|---|
| 44 | fixed number of cycles after node startup, and the first packet to the |
|---|
| 45 | Introducer is sent a fixed number of cycles after the signature is made. An |
|---|
| 46 | adversary who can compare the node boot time against the transmission time of |
|---|
| 47 | the first packet will learn information about the signature operation, one |
|---|
| 48 | measurement per reboot. We currently do not provide boot-time information in |
|---|
| 49 | Introducer messages or other client-to-server data. |
|---|
| 50 | |
|---|
| 51 | In general, we are not worried about these leakages, because timing-channel |
|---|
| 52 | attacks typically require thousands or millions of measurements to detect the |
|---|
| 53 | (presumably) small timing variations exposed by our asymmetric crypto |
|---|
| 54 | operations, which would require thousands of mutable-file writes or thousands |
|---|
| 55 | of reboots to be of use to the adversary. However, future authors should take |
|---|
| 56 | care to not make changes that could provide additional information to |
|---|
| 57 | attackers. |
|---|
