On 27.06.2015 10:38, Steven D'Aprano wrote: > Can you say "timing attack"? > > http://codahale.com/a-lesson-in-timing-attacks/ > > Can you [generic you] believe that attackers can *reliably* attack remote > systems based on a 20µs timing differences? If you say "No", then you fail > Security 101 and should step away from the computer until a security expert > can be called in to review your code.
Yes, as people do more and more proper crypto (in contrast to crappy stuff like LFSR-based custom keystream generators and such), side channels become of great importance. > I'm not a security expert. I'm not even a talented amateur. *Every time* I > suggest that "X is secure", the security guy at work shoots me down in > flames. But nicely, because I pay his wages <wink> :-) Being shot down in flames is the way to become a security expert, probably the *only* way. I don't know anyone who is an expert who hasn't had that horrible experience at least a dozen of times. It is amazing how many holes you can poke in designs if you look at it from enough angles. Having holes poked in my designs gives you a thourough appreciation for the true crypto experts (i.e. people doing theoretical cryptography). Best regards, Johannes -- >> Wo hattest Du das Beben nochmal GENAU vorhergesagt? > Zumindest nicht öffentlich! Ah, der neueste und bis heute genialste Streich unsere großen Kosmologen: Die Geheim-Vorhersage. - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1...@speranza.aioe.org> -- https://mail.python.org/mailman/listinfo/python-list