timing attack

A timing attack is a security exploit that allows an attacker to discover vulnerabilities in the security of a computer or network system by studying how long it takes the system to respond to different inputs.

Timing characteristics will vary depending upon on the encryption key because different systems take slightly different amounts of time to process different inputs. Variables include performance optimizations, branching and conditional statements, processor instructions, RAM and cache hits. A timing attack looks at how long it takes a system to do something and uses statistical analysis to find the right decryption key and gain access.

The canonical example of a timing attack was designed by cryptographer Paul Kocher. He was able to expose the private decryption keys used by RSA encryption without breaking RSA. Timing attacks are also used to target devices such as smartcards and web servers that use OpenSSL. Web servers were believed to be less vulnerable to timing attacks because network conditions could mask differences in timing; recent research has challenged that assumption.