All in the Timing: Side-Channel Attacks

by phildini on August 25, 2018

This talk was given at PyCon AU 2018.

Slides are available on SpeakerDeck.


“Never write your own cryptography!” is an oft-heard cry in the computer security space. But why is that? In this talk, we’ll cover some of the ways you can write software using algorithms and approaches that are mathematically perfect, but which, due to implementation artifacts, leave your applications exposed.

We’ll start with the mother of all timing attacks, password forms and non-constant time, to give the audience a foundation on what timing attacks are. From there, we’ll explore real-world attacks in the KeyCzar library, the BREACH attack, and PYTHONHASHSEED. All examples will show python code or pseudocode where appropriate, and will be abased on real-world attacks.

We’ll finish with a discussion of Spectre, a recent class of side channel attack that required patches and reboots across the majority of computers on the web – including the complete reboot of many cloud providers.

Our hope is that the audience will come away with a clearer understanding of this corner of the world of computer security, and will have a better answer to “Why shouldn’t I build my own cryptography software?”