Timing Side-Channel Attacks

A timing side-channel attack exploits variations in the execution time of cryptographic algorithms to infer sensitive information, such as encryption keys, by measuring these differences.

This essentially involves leveraging time to understand a cryptographic implementation and then exploiting it to recover the secret.

Let us look into an example of Comparing a Password →

does_it_match(input_pass):
	good_pass = ‘Abcd!234’
	for i in range (strlen(good_pass)):
		if good_pass[i] != input_pass[i]:
			return False
	return True

This is a classic example where we can actually conduct a timing side-channel attack. The password is matched one letter at a time. If a letter matches, it proceeds to the next one. Thus, there is a difference in timing between matched and unmatched letters. Comparing these timings can yield significant results. This can be achieved by feeding various inputs into the 'does_it_match' function. We can try different inputs to observe if the execution time remains:

• Constant with the same input multiple times

• Different with different input multiple times