Timing attack

Removing timing-dependencies is difficult in some algorithms that use low-level operations that frequently exhibit varied execution time.

Timing attacks are often overlooked in the design phase because they are so dependent on the implementation and can be introduced unintentionally with compiler optimizations.

Avoidance of timing attacks involves design of constant-time functions and careful testing of the final executable code.

Consider an implementation in which every call to a subroutine always returns in exactly x seconds, where x is the maximum time it ever takes to execute that routine on every possible authorized input.

The execution time for the square-and-multiply algorithm used in modular exponentiation depends linearly on the number of '1' bits in the key.

In 2003, Boneh and Brumley demonstrated a practical network-based timing attack on SSL-enabled web servers, based on a different vulnerability having to do with the use of RSA with Chinese remainder theorem optimizations.

The actual network distance was small in their experiments, but the attack successfully recovered a server private key in a matter of hours.

Without any information on the validity of login names the time needed to execute such an approach would increase by orders of magnitude, effectively rendering it useless.

[11] The following C code demonstrates a typical insecure string comparison which stops testing as soon as a character doesn't match.

An example of a timing attack being performed on the web cache . The graph on the left denotes a case where the timing attack is successfully able to detect a cached image whereas the one on the right is unable to do the same.