[cryptography] Preventing Time Correlation Attacks on Leaks: Help! :-)

Sebastian Schinzel ssc at seecurity.org
Wed Aug 21 04:33:04 EDT 2013


Dear Fabio,

On 21. Aug 2013, at 09:35 AM, "Fabio Pietrosanti (naif)" <lists at infosecurity.ch> wrote:
> Which kind of logic / algorithm to apply on the Receiver's notification timing in order to prevent / reduce the likelihood that a time correlation pattern is possible?
> 
> A random delay between a lower bounday and an upper boundary seems like the most simple and effective approach to defeat this kind of correlation.
> 
> However this does not work on very low-traffic globaleaks node.
> 
> What do you think?

Random delay have a bad reputation in crypto because you can filter
them out by repeating measurements. This criticism, however, is not
relevant here as the attacker (e.g. a rouge state) has only a single data
point and has no way to "repeat" this measurement.

So yes, a random delay might help here. The difficulty is to choose 
the distribution and the minimum and maximum delay within.

Another option would be to not send a notification, but to let the submitter
choose some token during submission. The submitter can then later verify
whether the token was received through another service. The service is
public and anyone can query it. This removes the strong correlation
between a submission and the notification.

Regards,
Sebastian


More information about the cryptography mailing list